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Abstract. We propose a new declarative planning language, called AC, which is based on principles 
and methods of logic programming. In this language, transitions between states of knowledge can 
be described, rather than transitions between completely described states of the world, which makes 
the language well-suited for planning under incomplete knowledge. Furthermore, it enables the 
use of default principles in the planning process by supporting negation as failure. Nonetheless, K, 
also supports the representation of transitions between states of the world (i.e., states of complete 
knowledge) as a special case, which shows that the language is very flexible. As we demonstrate 
on particular examples, the use of knowledge states may allow for a natural and compact problem 
representation. We then provide a thorough analysis of the computational complexity of /C, and 
consider different planning problems, including standard planning and secure planning (also known 
as conformant planning) problems. We show that these problems have different complexities under 
various restrictions, ranging from NP to NEXPTIME in the propositional case. Our results form the 
theoretical basis for the DLV K system, which implements the language /C on top of the DLV logic 
programming system. 
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1 Introduction 

Since intelligent agents must have planning capabilities, planning has been an important problem in AI since 
its very beginning, and numerous approaches and methods have been developed in extensive work over the 
last decades. The formulation of planning as a problem in logic dates back to a proposal of McCarthy in the 
1950s; the breakthrough of Robinson’s resolution method laid the basis for deductive planning as in Green’s 
paper [31] and the well-known situation calculus [51]. However, because of defects such as the well-known 
frame problem, deductive planning lost attention, while the STRIPS approach [20], a hybrid between logic 
and procedural computation, and its derivates were gaining importance. For a long period then, fairly no 
other logic-related planning systems were explored. 

In the last 12 years, however, logic-based planning celebrated a renaissance, emerging in different 
streams of work: 

• Solutions to the frame problem have been worked out, and deductive planning based on the situational 
calculus has been considered extensively, in particular by the Toronto group, leading to the GOLOG 
planning language [40]. In parallel, planning in the event calculus [38] has been pursued, starting 
from [15, 63]. 

• Formulating planning problems as logical satisfiability problems, proposed by Kautz and Selman [36], 
enabled to solve large planning problems which could not be solved by specialized planning systems, 
and led to the efficient Blackbox planning system [37]. In the same spirit, other approaches reduced 
planning problems to computational tasks in logical formalisms, including logic programming [8, 65], 
model checking [5,6], and Quantified Boolean Formulas [60]. 

• Planning as a task in logic-based languages for reasoning about actions, which were developed in the 
context of logics for knowledge representation and logic programming, e.g. [23, 35, 26, 27, 28, 34, 48, 
67]; see [24, 68] for surveys. Implementing these languages using, in the spirit of Kautz and Selman, 
satisfiability solvers led to the causal calculator (CCALC) [49, 47] and the C-plan system [25], which 
is based on the important C action language [27]. 

In very influential papers, Lifschitz proposed answer set programming as a tool for problem solving, and 
in particular for planning [43,44]. In this approach, planning problems, formulated in a domain-independent 
planning language, are mapped into an extended logic program such that the answer sets of this program 
give the solutions of the planning problem (cf. also [45]). In this way, planners may be created which support 
expressive action description languages and, by the use of efficient answer sets engines such as smodels [33] 
or DLV [13], allow for efficient problem solving. 

In our work, we pursue this suggestion and develop it further. In the present paper, we propose a 
new language, 1C, for planning under incomplete knowledge. We name it JC, to emphasize that it describes 
transitions between states of knowledge rather than between states of the world. Namely, language C and 
many others are based on extensions of classical logics and describe transitions between possible states of the 
world. Here, a state of the world is characterized by the truth values of a number of fluents, i.e., predicates 
describing relevant properties of the domain of discourse, where every fluent necessarily is either true or 
false. An action is applicable only if some precondition (formula over the fluents) is true in the current state, 
and executing this action changes the current state by modifying the truth values of some fluents. 

However, planning agents usually don’t have a complete view of the world. Even if their knowledge is 
incomplete, that is, a number of fluents is unknown, they must take decisions, execute actions, and reason 
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Figure 1: A blocksworld example. 


on the basis of their (incomplete) information at hand. For example, imagine a robot in front of a door. If it 
is unknown whether the door is open, the robot may decide to push back. Alternatively, it might decide to 
sense the door status in order to obtain complete information. However, this requires that a suitable sensing 
action is available and, importantly, actually executable (that is, the sensor is not broken). Thus, even in 
the presence of sensing, some fluents may remain unknown and leave an agent in a state of incomplete 
information. 

Our language /C adopts a three-valued view of fluents in which their values might be true, false, or un¬ 
known. The language is very flexible, and is capable of modeling transitions between states of the world 
(i.e., states of complete knowledge) and of reasoning about them as a particular case, as we shall discuss. 
Compared to similar planning languages, K, is closer in spirit to answer set semantics [22] than to clas¬ 
sical logics. It allows for the use of default negation, exploiting the power of answer sets to deal with 
incomplete knowledge. We also analyze the computational complexity of /C, which provides the theo¬ 
retical background for the DLV^ system implementing 1C on top of the DLV system [13, 16]. DLV^ pro¬ 
vides a powerful declarative planning system, which is ready-to-use for experiments (see <URL:http: 
//www. dbai . tuwien . ac . at/pro j /dlv/>). 

1.1 A Brief Overview of /C 

As an appetizer, we give a brief exposition of the main features of the language K., which will be formally 
defined in Section 2. We occasionally refer to well-known planning problems in the “blocksworld” domain, 
which require turning given configurations of blocks into goal configurations (see Figure 1). 

Background Knowledge The planning domain has a background which is represented by a normal (that 
is, disjunction-free) stratified logic program. The rules and facts of this program define predicates which 
are not subject to change, i.e. represent static knowledge. An example in blocksworld is block(B), which 
states the (unchangeable) property that B is a block. 

Type Declarations The ranges of the arguments of fluents and actions are typed, by stating that certain 
predicates must hold on them. For example, 

move(B.L) requires block(B), location(L). 

specifies the types for the arguments of action move. The literals after the requires keyword (here, 
block(B) and location(L)) must be positive literals of the static background knowledge mentioned above. 

Causation Rules The main construct of K, are causation rules. They are syntactically similar to rules of 
the language C [27, 43, 45] and have the form: 
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caused f if B after A. 

Intuitively, this rule reads “If B is known to be true in the current state and A is known to be true in the 
previous state, then f is known to be true in the current state.” Both the if part and the after part may be 
empty (which means that it is true). 


Negation Default (or weak) negation “not” can be used in the if and the after part of the rules. It 
allows for natural modeling of inertial properties, default properties, and dealing with incomplete knowledge 
in general, similar to logic programming with answer set semantics. Furthermore, strong negation (“-i”, 
written in programs as is supported as well. In order to support convenient problem representation, /C 
provides several constructs, which are “implemented” through weak negation, as, e.g., 

inertial on(X,Y). 

which informally states that on(X, Y) is concluded to hold in the current state if on(X, Y) held at the previous 
state and — on(X, Y) is not explicitly known to hold, or 

default — on(X, Y). 

which states that —on(X, Y) is concluded to hold unless on(X, Y) is known to hold (as it has been explicitly 
entailed by some causation rule). 


Executability of Actions In order to be eligible for execution, any action needs to satisfy some precondi¬ 
tion in a given state of knowledge, which can be stated using executability statements. For example, 

executable move(X, Y) if not occupied(X), not occupied(Y), X <> Y. 

states that block X can be moved on location Y if both X and Y are clear and X / Y (assuming proper typing). 
Multiple executability statements for the same action are allowed. If the body is empty, it means that the 
action always qualifies for execution, provided that the type restrictions on X and Y are respected. On the 
other hand, execution of an action A under condition B can also be blocked, by the statement 

nonexecutable A if B. 

In case of conflicts, nonexecutable A overrides executable A. 


Integrity Constraints In general, a causation rule expresses a state constraint that must be fulfilled in all 
states. It is very common to state integrity constraints for states (possibly referring to the respective preced¬ 
ing state), i.e., conjunctions of literals which can not simultaneously be satisfied. To facilitate convenient 
representation of integrity constraints, /C provides a statement 

forbidden B after A 

as a shortcut for caused false if B after A. Intuitively, it discards any state where B is (known to be) 
true, if A is (known to be) true in the previous state. 
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Initial State Constraints 1C allows to declare causation rules with empty after-part that should apply to 
the initial state only. Such rules, which represent constraints on the initial state, must be preceded by the 
keyword “initially For example, 

initially: forbidden block(B), not supported(B). 

requires that the fluent supported is true for every block in the initial state ; the constraint is irrelevant for 
all subsequent states. Initial state constraints may profitably reduce computation effort: If we are guaranteed 
that actions preserve some property P, then it is sufficient to check the validity of P only on the initial state 
to ensure that it holds in any state. 

Parallel Execution of Actions By default, simultaneous execution of actions is allowed in 1C. This can be 
prohibited by suitable rules; however, for the user’s convenience, a statement 

noConcurrency. 

is provided as a shortcut which enforces the execution of at most one action at a time. 

Handling of Complete and Incomplete Knowledge 1C also allows one to represent transitions between 
possible states of the world (which can be seen as states of complete knowledge). First of all, we can easily 
enforce that the knowledge on some fluent f is complete, using a rule 

forbidden not f, not — f. 

Moreover, we can “totalize” the knowledge of a fluent by declaring 

totalf. 

which means that, unless a truth value for f can be derived, the cases where f resp. — f is true will be both 
considered. In other words, every state will be “totalized” by adding f or —f, if none of them is true. 

Goals and Plans A goal is a conjunction of ground literals; a plan for a goal is a sequence of (in general, 
sets of) actions whose execution leads from an initial state to a state where all literals in the goal are true. In 
1C, the goal is followed by a question mark and by the number of allowed steps in a plan. For instance, 

on(c,b), on(b, a) ? (3) 

requests a plan of length 3 for the goal of Figure 1. 

This concludes the exposition of the ]C planning language. We remark at this point that the DLV^ 
planning system contains the command 

securePlan. 

by which we can ask the system to compute only secure plans (often called conformant plans or fail-safe 
plans in the literature [29, 64]). Informally, a plan is secure, if it is applicable starting at any legal initial 
state, and enforces the goal, regardless of how the state evolves. Using this feature, we can also model 
possible-worlds planning with an incomplete initial state, where the initial world is only partially known, 
and we are looking for a plan reaching the desired goal from every possible world according to the initial 
state. Note that, by our complexity results, unlike the other statements above the “securePlan.” command 
can not be expressed as a shortcut in language 1C, and thus has to be realized at an external level. 
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1.2 Contributions 

The main contributions of the present paper are the following: 

(1) We propose a new planning language, called 1C, which is based on logic programming. We 
formally define language 1C and provide a declarative, model theoretic semantics for it. Importantly, the 
language supports also default (nonmonotonic) negation, which enriches the knowledge modeling power of 
1C. To capture the intuitive meaning of default negation, the formal semantics of the planning language 1C is 
given in two steps like for stable models in logic programming [22]. 

(2) We illustrate the knowledge modeling features of the language by encoding some classical plan¬ 
ning problems in 1C, in particular different versions of blocksworld and “bomb in the toilet” planning prob¬ 
lems [52]. We proceed incrementally, presenting all main features of /C and their usage for knowledge 
representation and reasoning in planning domains. In the course of this, we show 1C encodings of classical 
planning problems (dealing with complete knowledge), and we further describe how conformant planning 
problems (in presence of incomplete knowledge on the initial state, or in presence of nondeterministic action 
effects) can be encoded in 1C. 

As we show, the language 1C is capable of expressing classical encodings based on states of the world. 
However, by its design it is very well-suited for encodings based on states of knowledge. We show both types 
of encodings on some “bomb in the toilet” planning problems, and discuss the two different approaches, 
highlighting some computational advantages of the encodings based on states of knowledge. 

(3) We perform a thorough study of the complexity of major planning problems in the language 1C, 
where we focus on the propositional case. (Results for the first-order case can be obtained in the usual 
manner.) In particular, we consider the problems of deciding the existence of an optimistic (i.e., standard) 
plan for a given length, the problem of checking whether such a plan is secure (i.e., conformant), and the 
combined problem of finding a secure (i.e., conformant) plan, under various restrictions on the planning 
instances. For formal definitions of optimistic and secure plans, we refer to Section 2.2. 

It appears that deciding the existence of an optimistic plan achieving the goal in a fixed number of steps is 
NP-complete, while it is PSPACE-complete in general. Thus, in general we have the same complexity as 
for planning in corresponding STRIPS-like systems [20], which are well-known PSPACE-complete [3]. On 
the other hand, finding secure plans is obviously harder, because it allows us to encode also planning under 
incomplete initial states as in [1], which was shown to be -complete there for polynomial-length plans. In 
fact, deciding the existence of a secure plan of variable (arbitrary) length is NEXPTIME-complete, and thus 
not polynomially reducible to planning in STRIPS-like systems or to QBF-solvers, which can only express 
problems in PSPACE (unless NEXPTIME collapses to PSPACE). Even under fixed plan length, this problem 
is X^-complete, and thus rather complex; further restrictions have to be imposed to lower its complexity. To 
this end, we introduce meaningful subclasses of planning domains and problems, in particular proper and 
plain planning domains resp. problems. As we show, for proper planning domains, existence of a secure 
plan having a fixed number of steps is only mildly harder than NP if concurrent actions are not allowed. 

Our complexity results give a clear picture of the feasibility of polynomial-time translations for particular 
planning problems into computational logic systems such as Blackbox [37], CCALC [47], smodels [33], 
DLV, satisfiability checkers, e.g. [2, 74], or Quantified Boolean Formula (QBF) solvers [4, 61, 18]. 


6 


INFSYS RR 1843-01-11 


1.3 Structure of the Paper 

The rest of the paper is structured as follows. The next section formally introduces the language 1C, and 
provides the syntax and formal semantics of the core language, as well as enhancements of the language 
by macro constructs that are useful “syntactic sugar” for conveniently representing problems. After that, 
we consider in Section 3 knowledge representation in 1C, where different aspects such as planning with 
incomplete initial states, representation of nondeterministic action effects, and knowledge-based encodings 
of the latter are discussed. In Section 4 we then embark on our study of the complexity of language 1C, and 
present an overview of the problems we considered and the main results that we obtained. Section 5 is then 
devoted to the derivation of these complexity results. In Section 6, we discuss related work, and the final 
Section 7 discusses further work and draws some conclusions. 

The present paper is part I in a series of papers which comprehensively describe our work, and contains 
the foundational semantic definitions and theoretical results; part II [12] reports about the DLV^ system 
(which is freely available at <URL : http: //www. dbai . tuwien . ac . at/pro j /dlv/>) and in par¬ 
ticular contains an experimental evaluation and comparisons to other planning systems (for a theoretical 
account, see also Section 6). 


2 Language JC 

In this section, we will detail syntax and semantics of the language 1C that we have briefly introduced in the 
previous section. 

2.1 Basic Syntax 

2.1.1 Actions, Fluents, and Types 

Let o act , o pl , and o typ be disjoint sets of action, fluent and type names, respectively. These names are 
effectively predicate symbols with associated arity (> 0). Here, a-I' 1 and cr act are used to describe dynamic 
knowledge, whereas o typ is used to describe static background knowledge. Furthermore, let o con and o var 
be the disjoint sets of constant and variable symbols, respectively. 

Definition 2.1 For p € o act (resp. a? 1 , o typ ), an action (resp. fluent, type) atom is defined as p(t \,... , t n ), 
where n is the arity of p and t±,... , t n £ a con U o var . An action (resp. fluent, type) literal is an action 
(resp. fluent, type) atom a or its negation -i a, where “-T is the true negation symbol, for which we also use 
the customary 

As usual, a literal (and any other syntactic object) is ground, if it does not contain variables. 

Given a literal l, let -i .1 denote its complement, i.e., -i .1 = a if l = -<a and -i .1 = ->a if l = a, where a 
is an atom. A set L of literals is consistent, if L n ~>.L = 0. Furthermore, L + (resp., L~) denotes the set of 
positive (resp., negative) literals in L. 

The set of all action (resp. fluent, type) literals is denoted as C ac t (resp. Cfi, Ct yv ). Furthermore, £fi,typ 
= Cfi U Ctyfl, Cd yn = £/iU C+ ct (dyn stands for dynamic literals)', and C = Cfi :typ U C^ ct . 1 
All actions and fluents must be declared using statements as follows. 

'Note that this definition only allows positive action literals. 
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Definition 2.2 An action (resp., fluent) declaration, is of the form: 

p(X i,... ,X n ) requires h, .. . ,t m (1) 

where p G C+ ct (resp. p G £^), X],... , A" n G o var where n > 0 is the arity of p, t\,... ,t m G Ctyp, 
m > 0, and every X, occurs in t \,... , t,„. 

If rn = 0, the keyword requires may be omitted. 

We next define causation rules, by which static and dynamic dependencies of fluents on other fluents 
and actions are specified. 

Definition 2.3 A causation rule {rule, for short) is an expression of the form 


caused / if &i,... A, not b k+ 1 ,... ,not b t 

3.f tGr d \,... j Qjjyi not cLjyi- j_^ ^. ,no*t 

where / G Cfi U {false}, b\,... ,bi G £fi,typ, a\,... ,a n £ £, l > k > 0, and n > m > 0. 

Rules where n = 0 are referred to as static rules, all other rules as dynamic rules. When l = 0, the keyword 
if is omitted; likewise, if n = 0, the keyword after is dropped. If both l = n = 0 then caused is optional. 

To access the parts of a causation rule r, we use the following notations: h(r) = {/}, post + (r) = 
{&i, — A-}, posW(r) = A + i,... ,bi}, pre + (r) = {ai,... ,a m }, pre“(r) = {a m+ 1 ,... ,a n }, and 
lit(r) = {/, bi,... , bi, ai,... , a n }. Intuitively, pre + (r) accesses the state before some action(s) happen, 
and post + (r) the part after the actions have been executed. 

While the scope of general static rules is over all knowledge states, it is often useful to specify rules only 
for the initial states. 

Definition 2.4 An initial state constraint is a static rule of form (2) preceded by the keywordinitially. 

The language 1C allows STRIPS-style [20] conditional execution of actions, where 1C allows several 
alternative executability conditions for an action which is beyond the repertoire of standard STRIPS. 

Definition 2.5 An executability condition is an expression of the form 

executable a if b\,... , b k , not b k +i, ■ ■ ■ , not bi (3) 

where a G C+ct an( ^ A • • • ,bi G C, and l > k > 0. 

If l = 0 (which means that the executability is unconditional), then the keyword if is skipped. 

Given an executability condition e, we access its parts with h(e) = {a}, pre + (e) = {bi,... A}, 
pre _ (e) = A+i, ... A}> an ^ l't( e ) = {a, At,... ,6;}. Intuitively, pre”(e) refers to the state at which 
some action’s suitability is evaluated. Here, as opposed to causation rules we do not consider a state after the 
execution of actions, and so no part post + (r) is needed. Nonetheless, for convenience we define post + (e) = 
post~(e) = 0. 

Furthermore, for any executability condition, a rule, or an initial state constraint r, we define post(r) = 
post + (r) U post _ (r), pre(r) = pre + (r) U pre~(r), and b(r) = b + (r) U b~(r), where b + (r) = post + (r) U 
pre + (r), and b~(r) = post~(r) U pre _ (r). 
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Example 2.1 Consider the following type declarations, causation rule, and executability condition, respec¬ 
tively, where o typ = {r, s}, af l = {f}, and o act = {ac}: 

t\ : f(X) requires —r(X,Y), s(Y,Y). 
t ‘2 : ac(X,Y) requires s(X,Y). 

r\ : f(X) if s(X,X), not —f(X) after ac(X,Y), not —r(X,X). 
e\ : executable ac(X, Y) if s(Z,Y), not f(X), Z <> Y. 

Then, we have h(ri) = {f (X)}, pre(ri) = {ac(X, Y), —r(X, X)} and post(ri) = {s(X,X), —f(X)}. Fur¬ 
thermore, h(ei) = ac(X,Y) and pre(ei) = {s(Z, Y), f (X), Z <> Y}; here the inequality predicate Z <> Y 
is regarded as default negation not (Z = Y), where equality “=” is a built-in which is tacitly present in o typ . 

2.1.2 Safety Restriction 

All rules (including initial state constraints and executability conditions) have to satisfy the following syn¬ 
tactic restriction, which is similar to the notion of safety in logic programs [70]. All variables in a default- 
negated type literal must also occur in some literal which is not a default-negated type literal. 

Thus, safety is required only for variables appearing in default-negated type literals, while it is not 
required at all for variables appearing in fluent and action literals. The reason is that the range of the latter 
variables is implicitly restricted by the respective type declarations. Observe that the rules in Example 2.1 
are all safe. 

2.1.3 Planning Domains and Planning Problems 

We now define planning domains and problems. Let us call any pair (D, R) where D is a finite set of action 
and fluent declarations and R is a finite set of safe causation rules, safe initial state constraints, and safe 
executability conditions, an action description. 

Definition 2.6 A planning domain is a pair PD = (II, AD), where II is a normal stratified Datalog program 
(referred to as background knowledge), which is assumed to be safe in the standard LP sense (cf. [70]), and 
AD is an action description. We say that PD is positive, if no default negation occurs in AD. 

Planning domains represent the universe of discourse for solving concrete planning problems, which are 
defined next. 

Definition 2.7 A planning problem V = (PD, q) is a pair of a planning domain PD and a query q, where a 
query is an expression of the form 

9i, ■ ■ ■ ,9m, not g m+1 ,... ,not g n ? (i) (4) 

where g i,... ,g n F £fi are variable-free, n > m > 0, and i > 0 denotes the plan length. 

2.2 Semantics 

For defining the semantics of /C planning domains and planning problems, we start with the preliminary 
definition of the typed instantiation of a planning domain. This is similar to the grounding of a logic program, 
with the difference being that only correctly typed fluent and action literals are generated. 
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2.2.1 Typed Instantiation 

Let substitutions and their application to syntactic objects be defined as usual (i.e., assignments of constants 
to variables which replace the variables throughout the objects). 

Let PD = (n, (D,R)) be a planning domain, and let M be the (unique) answer set of II [22]. Then, 
0(p(Xi,... , X n )) is a legal action (resp. fluent) instance of an action (resp. fluent) declaration d £ I) of' 
the form (1), if 6 is a substitution defined over , X n such that {9(ti), ... , 9(t m )} C M. By Cpp 

we denote the set of all legal action and fluent instances. 

Based on this, we now define the instantiation of a planning domain respecting type information as 
follows. 

Definition 2.8 For any planning domain PD = (II, (D,R)), its typed instantiation is given by PI)[ = 
(n|, (D , R[)), where II| is the grounding of II (over a con ) and R[ = {9(r) \ r € R, 6 € 0 r }, where 0 r is 
the set of all substitutions 9 of the variables in r using o con , such that lit(0(r)) n C-dyn C U (-■ .Cpp> FI 

C fi)- 

In other words, in PDl we replace II and R by their ground versions, but keep of the latter only 
rules where the atoms of all fluent and action literals agree with their declarations. We say that a PD = 
(II ,(D,R)) is ground, if II and R are ground, and moreover that it is well-typed, if PD and PI)[ coincide. 

2.2.2 States and Transitions 

We are now prepared to define the semantics of a planning domain, which is given in terms of states and 
transition between states. 

Definition 2.9 A state with respect to a planning domain PD is any consistent set s C Cfi n (lit(PD) u 
lit(P.D) - ) of legal fluent instances and their negations. A tuple t = (s,A,s') where s,s' are states and 
A C C act n lit(PD) is a set of legal action instances in PD is called a state transition. 

Observe that a state does not necessarily contain either / or ~>f for each legal instance / of a fluent. 
In fact, a state may even be empty (s = 0). The empty state represents a “tabula rasa” state of knowledge 
about the fluent values in the planning domain. Furthermore, in this definition, state transitions are not 
constrained - this will be done in the definition of legal state transitions, which we develop now. To ease 
the intelligibility of the semantics, we proceed in analogy to the definition of answer sets in [22] in two 
steps. We first define the semantics for positive planning problems, i.e., planning problems without default 
negation, and then we define the semantics of general planning domains by a reduction to positive planning 
domains. 

In what follows, we assume that PD = (II, (D, R)) is a ground planning domain which is well-typed, 
and that M is the unique answer set of II. For any other PD, the respective concepts are defined through its 
typed grounding PD[. 

Definition 2.10 A state so is a legal initial state for a positive PD, if so is the smallest (under inclusion) set 
such that post(c) C so U M implies h(c) C s 0 , for all initial state constraints and static rules c <E II. 

For a positive PD and a state s, a set A C £+ :( is called executable action set w.r.t. s, if for each 
a € A there exists an executability condition e S R such that h(e) = {a}, pre(e) n £fi,typ C s U M, 
and pre(e) n £+ 1 C A. Note that this definition allows for modeling dependent actions, i.e. actions which 
depend on the execution of other actions. 
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Definition 2.11 Given a positive PD, a state transition t = ( s, A, s') is called legal, if A is an executable 
action set w.r.t. s and s' is the minimal consistent set that satisfies all causation rules w.r.t. s U A U M. 
That is, for every causation rule r G R, if (i) post(r) C s' U M, (ii) pre(r) n £fi,typ Q s U M, and (iii) 
pre(r) n L ac t Q A all hold, then h(r) ^ {false} and h(r) C s'. 

The above definitions are now generalized to a well-typed ground PD containing default negation by 
means of a reduction to a positive planning domain, which is similar in spirit to the Gelfond-Lifschitz 
reduction [22]: 

Definition 2.12 Let PD be a ground and well-typed planning domain, and let t = (s,A,s') be a state 
transition. Then, the reduction PD' = (II, (D, R')) of PD by t is the planning domain where R' is obtained 
from R by deleting 

1. every r £ R, for which either post~(r) n (s' U M ) / 0 or pre~(r) n (s U A U M ) / 0 holds, and 

2. all default literals not L (L £ C) from the remaining r £ R. 

Note that PD 1 is positive and ground. Legal initial states, executable action sets, and legal state transitions 
are now defined as follows. 

Definition 2.13 Let PD be any planning domain. Then, a state so is a legal initial state, if so is a legal 
initial state for PD', where t = (0,0, sq); a set A is an executable action set in PD w.r.t. a state s, if A is 
executable w.r.t. s in PD' with t = (s, A, 0); and, a state transition t = (s, A. s') is legal in PD, if it is legal 
in PD'. 

Example 2.2 Reconsider the type declarations t\ and t, 2 , causation rule n and executability condition e\ in 
Example 2.1. Suppose a con contains two constants a and b, and that the background knowledge II has the 
following answer set: M = {—r(a, b), r(b, a), s(a, a), s(a, b), s(b,b)}. Then, e.g. f(a) is a legal fluent 
instance of G, 

f(X) requires — r(X,Y), s(Y,Y). 

where 6 = {X = a, Y = b}. Similarly, ac(a, b) is a legal action instance of declaration t- 2 , 
ac(X,Y) requires s(X,Y). 

where 9 = {X = a, Y = b}. Thus, f (a) and ac(a, b) belong to jCpd- The empty set so = 0 is a legal initial 
state, and in fact the only one since there are no causation rules which apply to initial states in PD, and thus 
also not in PD' for every t. The action set A = {ac(a, b)} is executable w.r.t. s o, since for t = (.sq. A, 0), 
the reduct PD' contains the executability condition 

: executable ac(a, b) if s(a, b), a <> b. 

and both s(a, b) and a <> b are contained in so U M. Thus, we can easily verify that t = (sq, A, s±), where 
A = {ac(a,b)} and si = {f (a)} is a legal state transition: PD' contains a single causation rule 

r[ : f(a) if s(a, a) after ac(a,b). 
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which results from rq for 0 = {X = a, Y = b}. Clearly, si satisfies this rule, as h(r , 1 ) C si, and si 
is smallest, since s(a, a) G M and ac(a, b) G A holds. On the other hand, t = (so, A', si), where 
A' = {ac(a, b), ac(b,b)} is not a legal transition: while ac(b,b) is a legal action instance, there is no 
executability condition for it in PD J.*, and thus ac(b, b) is not executable in PD w.r.t. so- 

2.2.3 Plans 

After having defined state transitions, we now formalize plans as suitable sequences of states transitions 
which lead from an initial state to some success state which satisfies a given goal. 

Definition 2.14 A sequence of state transitions T = ((s 0 , Ai, s i), (si, A 2 , s 2 ),..., (s n _i, A n , s n )), n > 0, 
is a trajectory for PD, if so is a legal initial state of PD and all (sj_i, A ,, s t ), 1 < i < n, are legal state 
transitions of PD. 

Note that in particular, T = () is empty if n = 0. 

Definition 2.15 Given a planning problem V = (PD, q ), where q has form (4), a sequence of action sets 
(Ai,... ,Ai), i > 0, is an optimistic plan for V, if a trajectory T = ((so, Ai, si), (si,A 2 ,S 2 )> 
(si_i, Aj, Si)) in PD exists such that T establishes the goal, i.e., {g±,... g m } C and {g m + 1 ,... , g n } fl 

St = 0. 

The notion of optimistic plan amounts to what in the literature is defined as “plan” or “valid plan” etc. 
The term “optimistic” should stress the credulous view underlying this definition, with respect to planning 
domains that provide only incomplete information about the initial state of affairs and/or bear nondetermin¬ 
ism in the action effects, i.e., alternative state transitions. 

In such domains, the execution of an optimistic plan P is not a guarantee that the goal will be reached. 
We therefore resort to secure plans (alias conformant plans), which are defined as follows. 

Definition 2.16 An optimistic plan (A \,... , A n ) is a secure plan, if for every legal initial state so and 
trajectory T = ((sq, Ai,si), ... , (sj-±, Aj, Sj)) such that 0 < j < n, it holds that (i) if j = n then T 
establishes the goal, and (ii) if j < n, then Aj + \ is executable in Sj w.r.t. PD, i.e., some legal transition 

(sj, Aj + i, Sj+i) exists. 


Observe that plans admit in general the concurrent execution of actions at the same time. However, in 
many cases the concurrent execution of actions may not be desired (and explicitly prohibited, as discussed 
below), and attention focused to plans with one action at a time. More formally, we call a plan (A \,... , A n ) 
sequential (or non-concurrent ), if \Aj\ < 1, for all 1 < j < n. 

2.3 Enhanced Syntax 

While the language presented in Section 2.1 is complete and allows for a succinct semantics definition, it 
can be enhanced w.r.t. user-friendliness. E.g. it is inconvenient to write initially in front of each initial 
state constraint, having an initially section in which each rule is interpreted as an initial state constraint 
would be more desirable. In addition, some frequently occurring patterns can be identified for which macros 
will be defined for convenience and readability. 
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2.3.1 Partitions 

The specification of a planning domain PD = (II, (D,R)) (respectively, of a planning problem V = 
((II, (D, R)),q )) can be seen as being partitioned into 

• the background knowledge II 

• Fjj, the fluent declarations in D 

• An, the action declarations in I) 

• Ir, the initial state constraints in R 

• Cr, the causation rules and executability conditions in R 

• the query (or goal) q. 

In the sequel, we will denote a planning problem as follows: 


fluents : Fjj 

actions : An 

always : Cr 

initially : Ir 

goal : q 


where each construct in Fn, An, Cr, and Ir is terminated by The background knowledge is assumed 
to be represented separately. 

2.3.2 Macros 

In the following, we will define several macros which allow for a concise representation of frequently used 
concepts. Let a G C+ ct denote an action atom, f € Cfi a fluent literal, B a (possibly empty) sequence 
,bk, not bk+i, • • • , not bi where each b t G £fi,typ, i = 1, ■ ■ ■ ,1, and A a (possibly empty) sequence 
aj,... ,a m , not a m +i,... , not a n where each aj G C,j = 1,... ,n. 

Inertia In planning it is often useful to declare some fluents as inertial, which means that these fluents 
keep their truth values in a state transition, unless explicitly affected by an action. In the AI literature this 
has been studied intensively and is referred to as th e frame problem [51, 62]. 

To allow for an easy representation of this kind of situation, we have enhanced the language by the 
shortcut 


inertial f if B after A. caused f if not —i.f, B after f, A. 

Defaults A default value of a fluent in the planning domain can be expressed by the shortcut 

default f. -<=> caused f if not -i.f. 

This default is in effect unless there is evidence to the opposite value of fluent f, given through some other 
causation rule. 
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Totality For reasoning under incomplete, but total knowledge we introduce 


total f if B after A. 


caused f if not —f, B after A. 
caused —f if not f, B after A. 


where f must be positive. 


State Integrity It is very common to formulate integrity constraints for states (possibly referring to the 
respective preceding state). To this end, we define the macro 

forbidden B after A o caused false if B after A 


Nonexecutability Sometimes it is more intuitive to specify when some action is not executable, rather 
than when it is. To this end, we introduce 

nonexecutable a if B o caused false after a, B 

Note that because of this definition, nonexecutable is stronger than executable, so in case of conflicts, 
executable is overridden by nonexecutable. 

Non-concurrent Plans Finally, noConcurrency disallows the simultaneous execution of actions. We 
define 

noConcurrency o caused false after ai, a 2 . 

where a! and a 2 range over all possible actions such that a l5 a 2 € Cpo FI C ac t and a! / a 2 . 

In all macros, “if B” (resp., “after A”) can be omitted, if B (resp. A) is empty. We reserve the possibility 
of including further macros in future versions of 1C. 


3 Knowledge Representation in 1 C 

In this section, the use of 1C for modeling planning problems is explored by examples. Special attention is 
given to features and techniques which distinguish 1C from similar languages. 

3.1 Deterministic Planning with Complete Knowledge 

We first study a simple setting in which the planning domain is not subject to nondeterminism and the 
planning agent has complete knowledge of the state of affairs. For later reference, we formally introduce 
the following notion. 

Definition 3.1 Let PD be a planning domain. Then, a legal transition (s, A, s i) in PD is determined, if 
si = S 2 holds for every possible legal transition (s,^4, s 2 ) (i.e., executing A on s leads to a unique new 
state). We call PD deterministic, if all legal transitions in it are determined. 

Consider first the planning problem depicted in Figure 1, which is set in the blocksworld. This problem 
illustrates the famous Sussman anomaly [66]. 

We will first describe the planning domain PDbwd = (Jhw, (Dbwd, Rbwd)) of blocksworld. It involves 
distinguishable blocks and a table. Blocks and the table can serve as locations on which other blocks can be 
put (a block can hold at most one other block, while the table can hold arbitrarily many blocks). We thus 
define the notions of block and location in the background knowledge IT^, as follows: 
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block(a). block(b). block(c). 

location(table). 

location(B) : — block(B). 

For representing states, we declare two fluents in Fu bwd : on states the fact that some block resides on 
some location, occupied is true for a location, if its capacity of holding blocks is exhausted. 

fluents: on(B,L) requires block(B), location(L). 

occupied(B) requires location(B). 

Only one action is declared in A D bwd : move represents moving a block to some location (implicitly 
removing it from its previous location). 

actions: move(B,L) requires block(B), location(L). 

Let us now specificy the initial state constraints lR bwd . For the initial state, occupied does not have 
to be specified, as it follows from knowledge about on. Note that only positive facts are stated for on, 
nevertheless the initial state is unique because the fluent on is interpreted under the closed world assumption 
(CWA) [59], i.e. if on(B, L) does not hold, we assume that it is false. 

initially: on(a, table). on(b, table). on(c, a). 

Next, we specify causation rules and executability conditions CR bwd . First a static rule is given, defining 
occupied for blocks if some other block is on them. 

always: caused occupied(B) if on(Bl,B), block(B). 

A move action is executable if the block to be moved and the target location are distinct (a block cannot 
be moved onto itself). A move is not executable if either the block or the target location is occupied. 

executable move(B,L) if B <> L. 

nonexecutable move(B.L) if occupied(B). 

nonexecutable move(B.L) if occupied(L). 

The action effects are defined by dynamic rules. They state that a moved block is on the target location 
after the move, and that a block is not on the location on which it resided before it was moved. 

caused on(B, L) after move(B,L). 

caused — on(B,Ll) after move(B.L), on(B,Ll), L <> LI. 

Next we state that the fluent on should stay true, unless it becomes false explicitly. Note that we need 
not specify this property for occupied, as it follows from on via the static rule. 

inertial on(B,L). 
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Figure 2: A Blocks World example with incomplete initial state. 


It is worthwhile noting that in this example the fluents are represented positively. The negation of fluents 
is usually implicit via the closed world assumption. There is one exception in a rule describing an action 
effect: Here the negation becomes known explicitly, and its purpose is the termination of the inertial truth 
of an instance of on. 

In order to solve the original planning problem, we associate the following goal q bw d for plan length 3 
to PD bwd , yielding V bwd : 

goal: on(c,b), on(b, a), on(a, table) ? (3) 

V bw d allows a single sequential plan of length 3: 

({move(c, table)}, {move(b, a)}, {move(c, b)}) 

Thus, the above plan requires to first move c on the table, then to move b on top of a, and, finally, to 
move c on b. It is easy to see that this sequence of actions leads to the desired goal. Since this domain is 
deterministic and has a unique initial state, all optimistic plans are also secure. 

3.2 Planning with Incomplete Initial State Descriptions 

In the example of section 3.1, it is assumed that the initial state is correct (with respect to the domain in 
question) and fully specified (thus unique). In this section we explore how these implicit requirements can 
be weakened. 

As an accompanying example problem, suppose that there is a further block d in the original planning 
problem of Figure 1. The exact location if d is unknown, but we know that it is not on top of c. Furthermore, 
there is a slightly different goal involving d. The problem is depicted in Figure 2. We will define a corre¬ 
sponding planning domain PD bwi = (11 bwi . ( D bw ,. R bw i)) by extending PI) bu!l j- The additional knowledge 
about the initial state is represented by adding — on(d, c). to I a,,,,,, ■ and the background knowledge n bw i is 
obviously enriched by the fact block(d). 

Let us first consider the necessary extensions for handling cases in which the initial state description 
cannot be assumed to be correct (e.g., when completing the partial initial state description, incorrect initial 
states can arise). The following conditions should be verified for each block: (i) It is on top of a unique 
location, (ii) it does not have more than one block on top of it, and (iii) it is supported by the table (i.e., it is 
either on the table or on a stack of blocks which is on the table) [44]. 

It is straightforward to formulate conditions (i) and (ii) and include them into lR bwi : 

initially: forbidden on(B, L), on(B,Ll), L <> LI. 

forbidden on(Bl,B), on(B2,B), block(B), B1 <> B2. 
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For condition (iii) we add a fluent supported to Fu bw ., which should be true for any block in a legal 
initial state: 

fluents : supported(B) requires block(B). 

We add the definition of supported and a constraint stating that each block must be supported to hi hn; , ■ 

initially: caused supported(B) if on(B,table). 

caused supported(B) if on(B,Bl), supported(Bl). 
forbidden not supported(B). 

Any planning problem involving the domain defined so far does not admit any plan if the initial state is 
either incorrectly specified or incomplete in the sense that not all block locations are known (as supported 
will not hold for these blocks). Note that the action move preserves the properties (i),(ii), (iii) above for 
sequential plans; it is therefore not necessary to check these properties in all states if concurrent actions are 
not allowed. 

Next we show how incomplete initial states can be completed in /C. To this end, we use the keyword 
total (defined in section 2.3.2), and simply add total on(X, Y). to lR bwi . In this way, all possible comple¬ 
tions w.r.t. on(X, Y) serve as candidate initial states, only some of which satisfy the initial state constraints, 
making them legal initial states. E.g. the state in which on(d, a) holds is not legal as the constraint which 
checks condition (ii) is violated. 

Finally, let us consider the planning problem Vbwi = (VI. qb W i), where q^vii is 
goal: on(a, c), on(c,d), on(d,b), on(b, table) ? (j) 

Usually, when dealing with incomplete knowledge, we look for plans which establish the goal for any 
legal initial state (in this particular case case no matter whether on(d, b) or on(d, table) holds), so we are 
interested in secure plans. The following secure sequential plan exists for Vb w i and j = 4: 

({move(d, table)}, {move(d, b)}, {move(c, d)}, {move(a, c)}) 

It is easily verifiable that this plan works on each legal initial state: Since d is not occupied in any legal 
initial state, the first action can always be executed. 

In some cases, one is interested in a plan which works for some possible initial state: For Vbwi an 
optimistic plan exists for j = 2: 

({move(c,d)}, {move(a,c)}) 

It works only for the initial state in which on(d, b) holds, and fails for all other admissible initial states. 
Hence it is not a secure plan. 

3.3 Nondeterministic Action Effects 

Let us now focus on domains comprising nondeterministic action effects. To this end we will turn our atten¬ 
tion to the “bomb in the toilet” problem [52] and its variations. We will describe these domains gradually, 
starting with two versions which involve deterministic action effects and incomplete initial state specifi¬ 
cations, in which the representation techniques from section 3.2 are applied. Only after these, a variant 
comprising nondeterministic action effects and some additional elaborations are presented. We employ a 
naming convention which is due to [6]. 
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BT(p) - Bomb in toilet with p packages We have been alarmed that there is a bomb (exactly one) in a 
lavatory. There are p suspicious packages which could contain the bomb. There is one toilet bowl, and it is 
possible to dunk a package into it. If the dunked package contained the bomb, the bomb is disarmed. 

For the /C encoding, the background knowledge FT/,/ consists of a definition of the packages: 

package(l). package(2). ... package(p). 


We use two fluents: armed(P) holds if package P contains an armed bomb (this is an inertial property), 
and unsafe expresses the fact that there are armed bombs. Only one action, dunk(P), is required, which is 
always executable and the effect of which is that package P is no longer armed. 

For the initial state, totalarmed(P). expresses the fact that the armed bomb might be in any package P, 
while f orbiddenarmed(P), armed(Pl), P <> PI. enforces that at most one package can contain an armed 
bomb. The statement f orbiddennotunsaf e. is included to guarantee that at least one package contains an 
armed bomb in the initial state. 

The goal is to achieve a state in which no armed bomb exists, i.e. which is notunsaf e. This goal qb om b 
will be the same for all following variations of the bomb in toilet problems, the respective plan lengths j 
will be stated for each problem. We thus arrive at the following planning problem Vu = ( PDj,t , qbomb)'- 


fluents: 

actions : 
always : 


initially: 


goal : 


armed(P) requires package(P). 
unsafe. 

dunk(P) requires package(P). 

inertial armed(P). 

caused — armed(P) after dunk(P). 

caused unsafe if armed(P). 

executable dunk(P). 

total armed(P). 

forbidden armed(P), armed(Pl), P <> PI. 
forbidden not unsafe, 
not unsafe ? (j) 


Note that in the formulation of this simple domain there is only one deterministic action, while the initial 
state is incomplete since it is not known which of the p packages contains the bomb. 

Usually, a plan should be produced which establishes the goal no matter in which package the bomb 
is in, so we look for a secure plan. If concurrent actions are allowed, the following secure plan for j = 1 
(dunking all packages at the same time) can be found: 

({dunk(l),... , dunk(p)}) 

A secure sequential plan consists of dunking all packages sequentially, so j = p: 

({dunk(l)},... , {dunk(p)}) 

Any permutation of these action sets is also a valid secure plan. 


BTC(p) - Bomb in toilet with certain clogging Let us now consider a slightly more elaborate version of 
the problem: Assume that dunking a package clogs the toilet, making further dunking impossible. The toilet 
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can be unclogged by flushing it. The toilet is assumed to be unclogged initially. Note that this domain still 
comprises only deterministic action effects. 

We extend PD bt = (U ht , (D bt , R bt )) to PD btc = (II M , (D btc , R btc )) by adding a new fluent, clogged, 
and a new action, flush, to D btc : 

fluents : clogged, 

actions : flush. 

clogged is inertial, is a deterministic effect of dunk, and is terminated by flush, flush is always 
executable, so the following rules are added to Cr Hc : 

always : inertial clogged. 

caused — clogged after flush, 
caused clogged after dunk(P). 
executable flush. 

The executability statement for dunk has to be modified, as dunk is not executable if the toilet is clogged, 
executable dunk(P) if not clogged. 

Since clogged is assumed not to hold initially, and since it is inteipreted under the CWA, nothing has 
to be added to lR btc . 

For the planning problem V btc = (PD btCl q bom b) we are only interested in sequential plans, as dunking 
and flushing concurrently is not permitted. A minimal secure plan can be found for j = 2p — 1: 

({dunk(l)}, {flush}, {dunk(2)},... , {flush}, {dunk(p)}) 

Again, the action sets containing dunk actions can be arbitrarily permuted, as long as the flush actions are 
executed between the dunk actions. 

BTUC(p) - Bomb in toilet with uncertain clogging Consider a further elaboration of the domain, in 
which clogged may or may not be an effect of dunking. In other words, the action dunk has a nondeter- 
ministic effect, and the toilet is clogged or not clogged after having executed dunk. 

This behavior is modeled by declaring clogged to be total after dunk has occurred. Therefore the 
action effect 


caused clogged after dunk(P). 

in PD btc is modified to 

total clogged after dunk(P). 

yielding the planning domain PD btuc . The planning problem V b t U c = (PD btuc , q bo mb) admits the same 
secure plans as V btc ■ 
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BMTC(p,f), BMTUC(p,t) - Bomb in toilet with multiple toilets Yet another elaboration is to assume 
that several toilet bowls ( t , rather than just one) are available in the lavatory. The modifications to PD^ tc 
yielding PDbmtc — (n bmti (flbmta P'bmtc)') <md tO PDbtuc yielding PDbmtuc — (14 bmti {Dbmtuci Pbmtuc)) 
are rather straightforward. 

The background knowledge Yl b t is simply extended to contain also a definition of the t toilets, by adding: 
toilet(l). toilet(2). ... toilet(t). 

arriving at The fluent and action declarations for clogged, dunk, and flush must be parametrised 

w.r.t. the affected toilet. The updated definitions w.r.t. (resp. Dbtuc ) are as follows: 

clogged(T) requires toilet(T). 
dunk(P,T) requires package(P), toilet(T). 
flush(T) requires toilet(T). 

Furthermore, each occurrence of clogged, dunk, and flush in Rbt c (resp. Rbtuc ) must be updated by 
adding a variable T (representing the toilet) to its parameters. 

Since multiple resources can be used concurrently here, we add some concurrency conditions for the 
actions to PDbtc (resp. PDbtuc)• dunk and flush should never be executed concurrently on any toilet. 
Furthermore, at most one package should be dunked into a toilet, and any package should be dunked in at 
most one toilet at a time. These conditions are captured by the following rules: 

always: nonexecutable dunk(P,T) if flush(T). 

nonexecutable dunk(P,T) if dunk(Pl,T), P <> PI. 
nonexecutable dunk(P,T) if dunk(P.Tl), T <> Tl. 

In total, ( D brntuc , Rbmtuc ) of PD bmtuc looks as follows: 

fluents : clogged(T) requires toilet(T). 

armed(P) requires package(P). 
unsafe. 

actions: dunk(P,T) requires package(P), toilet(T). 

flush(T) requires toilet(T). 
always : inertial armed(P). 

inertial clogged(T). 
caused — clogged(T) after flush(T). 
caused — armed(P) after dunk(P,T). 
total clogged(T) after dunk(P,T). 
caused unsafe if armed(P). 
executable flush(T). 

executable dunk(P.T) if not clogged(T). 
nonexecutable dunk(P,T) if flush(T). 

nonexecutable dunk(P,T) if dunk(Pl,T), P <> PI. 

nonexecutable dunk(P,T) if dunk(P,Tl), T <> Tl. 

initially : total armed(P). 

forbidden armed(P), armed(Pl), P <> PI. 
forbidden not unsafe. 
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The secure plans for V hmtc = ( PD bmtc , q bo mb) and V bm t,uc = ( PD bm tuc , Qbomb) are similar to those for 
Vbtc and Vbtuci respectively. The differences are that up to t dunk and flush actions, respectively, can be 
executed in parallel (so the plans are no longer sequential), and that t — 1 flushing actions can be saved since 
no final flushing is required for any toilet. Therefore any secure plan consists of 2 p — t actions and in qhomh, 
the minimal plan length is: j = 2|~?] — 1. 

3.4 Knowledge Based Encoding of Nondeterministic Action Effects 

In this section, alternative planning domains for bomb in toilet will be presented. These encodings will be 
based on states of knowledge, a distinguishing feature of 1C, rather than states of the world as in the previous 
sections. We will use the same background knowledge 11^ (resp. I and the same goal qbomb with the 
same values for the plan length j as in section 3.3. 

BT(p) In section 3.3 we have represented the initial situation by means of totalization on armed(P), lead¬ 
ing to multiple initial states, corresponding to different possible states of the world. From the knowledge 
perspective, nothing is known about armed(P) (and —armed(P)), so the initial situation can be represented 
by one state in which neither armed(P) nor —armed(P) holds. The action dunk(P) has the effect that 
-armed(P) is known to hold, and —armed(P) is inertial. We state the planning domain PDbtk as follows: 

fluents : armed(P) requires package(P). 

unsafe. 

actions : dunk(P) requires package(P). 

always : inertial — armed(P). 

caused — armed(P) after dunk(P). 
caused unsafe if not — armed(P). 
executable dunk(P). 

The advantage of this encoding is that multiple initial states do not have to be dealt with. Note that 
in this formulation it does not make sense to encode the restriction that exactly one package is armed, as 
nothing is known about the armed status whatsoever, so reasoning about what conditions this knowledge 
should comply with, if we had it, is superfluous. Furthermore, since the domain is deterministic, optimistic 
and secure plans coincide. 

BTC(p) PDbtck is extended from PDbtk in the same way as PDbtc was obtained from PDbt in section 3.3, 
i.e. by adding declarations for clogged and flush, adding rules for action effects w.r.t. clogged, defining 
clogged to be inertial, stating flush to be always executable, and by modifying the executability condition 
for dunk(P). 

Note that in this encoding clogged is still interpreted under the CWA. 

BTUC(p) In the variant with uncertain clogging, the effect of dunk(P) is that the truth of clogged is 
unknown. 1C has the capability of representing a state in which neither clogged nor —clogged holds, but 
to do this, we should no longer interpret clogged under the CWA, as we would not like to assume that 
clogged does not hold if it is unknown. For this reason inertial — clogged, is included, and for the 
initial state, it must be stated explicitly that the toilet is unclogged. 
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Unfortunately, there is no construct in 1C, with which an action effect of some fluent being unknown can 
be expressed directly. However, it is possible to modify the inertial rules for clogged and —clogged, so 
that inertia applies only if no package has been dunked. That means that dunking stops inertia for clogged, 
and clogged will be unknown unless it becomes known otherwise. Since this technique encodes inertia 
under some conditions, we call it conditional inertia. 

To achieve this, a new fluent dunked is introduced, which holds immediately after dunk(P) occurred for 
some package P. The inertial macros are then extended by the additional condition. The precise meaning 
of the resulting program is that neither clogged nor —clogged will hold after dunk(P) has been executed 
for some package P, unless one of them is caused by some other rule different from inertia. 

To summarize, the following is added to PD b tck '■ 

fluents : dunked. 

always : inertial clogged if not dunked. 

inertial — clogged if not dunked, 
caused dunked after dunk(P). 
caused — clogged after flush, 
executable dunk(P) if — clogged. 

initially : —clogged. 

while a few statements are dropped: 

always : inertial clogged. 

caused clogged after dunk(P). 
executable dunk(P) if not clogged. 


yielding PD btuck . 

Note that also PD btuc k is deterministic and has a unique initial state, so optimistic and secure plans 
coincide. This example shows that it is possible to find an encoding which requires a substantially less 
complex solver by using techniques, which exploit the “state of knowledge” paradigm of the language 1C. 
We would like to point out that this is not a contradiction to complexity results in section 4 below (finding 
secure plans is more complex than finding optimistic plans): BTUC(p) per se is an easy problem (it is 
solvable in linear time), it is just the representation requiring examination of alternatives, which made it 
look hard. 

BMTC(p,t)t BMTUC(p,f) As in section 3.3, a generalization to domains involving multiple toilets is 
straightforward and can be achieved by applying the changes described there, resulting in the planning 
domains PD bmtck and PD bmtuck , respectively. Find PD bmtuck as an example below (n bmt is omitted): 

fluents : clogged(T) requires toilet(T). 

armed(P) requires package(P). 
dunked(T) requires toilet(T). 
unsafe. 

actions: dunk(P.T) requires package(P), toilet(T). 

flush(T) requires toilet(T). 
always : inertial — armed(P). 
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initially: 


inertial clogged(T) if not dunked(T). 
inertial — clogged(T) if not dunked(T). 
caused dunked(T) after dunk(P.T). 
caused — clogged(T) after flush(T). 
caused — armed(P) after dunk(P,T). 
caused unsafe if not — armed(P). 
executable flush(T). 
executable dunk(P,T) if 
nonexecutable dunk(P,T) 
nonexecutable dunk(P,T) 
nonexecutable dunk(P,T) 

-clogged(T). 


- clogged(T). 
if flush(T). 
if dunk(Pl.T), 
if dunk(P,Tl), 


P <> 
T <> 


PI. 

Tl. 


Also in this case the resulting problem domains are deterministic and hence optimistic plans and secure 
plans coincide. This indicates that planning problems of this section can be solved faster than those of 
section 3.3. Indeed, we have observed this also experimentally [12]; the encodings of section 3.4 can often 
be solved several orders of magnitudes faster than those of section 3.3 in the DLV^" system prototype. 


3.5 Discussion 

As we have seen in the preceding subsections, the use of knowledge states instead of world states allows 
us to represent planning scenarios in which certain information remains open, or is (deliberatively) dropped 
under the proviso that it is not relevant to the planning problems that are considered. However, the total 
primitive provides a simple means to switch from knowledge states to world states, and thus our approach 
fully supports conventional world state planning. 

An important advantage which our language offers is that it also enables planning where world states are 
projected to a subset of fluents of interest, leaving the details of other fluents open. It thus supports to some 
extent focusing in the problem representation, by restricting attention to those fluents whose value may have 
an influence on the evolution of the world depending on the actions that are taken. 

For example, if the toilets in the bomb in the toilet domain would be colored, and an action paint (T, C) 
would be available which causes the color of toilet B to become C, represented by the fluent color(T, C), 
then the fluent color is not relevant for the planning problems considered in Sections 3.3 and 3.4. Thus, 
the value of this fluent may be left open, and no totalization statement on color is needed on the problem 
representation. 

The question then is how relevance can be (efficiently) determined and exploited by the user. In general, 
efficient automatic support will be difficult to achieve, since it requires analysis of the planning domain 
which involves intractable computational problems. However, using adapted results about relevance in logic 
programming, cf. [9], under some assertions syntactic criteria may be used to exclude (part of the) fluents 
which are irrelevant for a goal. In the above example, given a natural representation we would find out that 
color(T, C) is not relevant for unsafe. Sophisticated usage of total remains with the user at the moment, 
and developing automated support is an interesting research topic. 

Another issue concerns the use of knowledge states versus world states, even with respect to fluents that 
are relevant for achieving the planning goal. Here, we must take into account the underlying assumption 
of taking actions depending on a state of knowledge (where in case of incomplete information, default 
assumptions might be used) or a state of affairs, respectively. 
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For example, if a robot is in front of a door, and wants to pass through it, it needs to know whether the 
door is open or not. In our approach, we may represent this by the following statements: 

r\ : —open if not open after check_door. 

r 2 : open if not — open after check_door. 

e : executable check_door if not open, not — open. 


That is, after checking the state of the door, we know whether it is open or not (both is possible), and a 
secure plan must handle both cases appropriately. The check_door action is only executable if the state is 
not known yet - otherwise doing it would be superfluous, assuming that the robot’s state correctly models the 
world. Thus, under knowledge state planning, a global plan may naturally include the action check_door, 
assuming that its status is unknown in the current state. Flowever, under world-state planning, such an 
action would always be superfluous as the value of open is known. Accordingly, if we add the statement 
total open., then a plan including check_door is no longer feasible; this, however, is not a flaw, since it 
simply reflects that the precondition for executing the sensing action, namely that the door status is unknown, 
does never apply. In the same line, we can find examples where adding total statements render secure plans 
insecure, or where new optimistic and secure plans emerge. On the other hand, by forgetting the status of 
fluents, we might find plans for problems where world-state planning has no plan. 

We may explain these observations by reminding that knowledge state planning, in our approach, is plan¬ 
ning under (default) assumptions made on incomplete information, which are represented in the planning 
domain by the use of default literals and select one of the two possible values of a fluent. These assumptions 
may turn out inappropriate in reality, and a plan may become infeasible. Security of a plan is relative to 
the emerging states of knowledge and the assumptions that were made in selecting the actions. This looks 
refutable, but a moment of reflection should convince that this incorporates qualitative decision making in 
terms of default principles into the planning process. Any statement total f. is an unconditional implicit 
sensing action, which refines the knowledge state by reporting the status of the fluent in the new state. 

We thus may proceed in planning as follows: try to find an optimistic or secure plan, and then evaluate 
feasibility of the plan under refined knowledge states, by adding suitable total statements. Flere, not 
necessarily all fluents have to be totalized, but merely the relevant ones. In case no plan exists, a refinement 
of the knowledge states may be attempted at the initial state. In particular', if incompleteness is just given in 
the initial state, but each fluent is, by the causal rules, defined in each future state, then one should describe 
the properties known to hold in the beginning, totalize the (relevant) fluents of the initial state, and ask for a 
secure plan (cf. section 3.2, the interested reader is encouraged to identify the relevant instances of on(X, Y) 
for totalization w.r.t. the goal there). Exploring the use of totalization, and developing a methodology for 
this process is an interesting issue for further work. 


4 Complexity of KL 

We now turn to the computational complexity of planning in our language /C. In this section, we present the 
results of a detailed study of major planning issues in the propositional case. Results for the case of general 
planning problems (with variables) may be obtained by applying suitable complexity upgrading techniques 
(cf. [30]). We call a planning domain PD (resp., planning problem V) propositional, if all predicates in it 
have arity 0, and thus it contains no variables. 
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4.1 Main Problems Studied 

In our analysis, we consider the following three problems: 

Optimistic Planning Decide, given a propositional planning problem ( PD,q ), whether some optimistic 
plan exists. 

Security Checking Decide, given an optimistic plan P = (A\. ... , A n ) for a propositional planning prob¬ 
lem (PD, q), whether P is secure. 

Secure Planning Decide, given a propositional planning problem (PD, q), whether some secure plan ex¬ 
ists. 

We remark here that the formulation of security checking is, strictly speaking, a promise problem, since 
it is asserted that P is an optimistic plan, which can not be checked in polynomial time in general (and 
thus legal inputs can not be recognized easily). However, the complexity results that we derive below would 
remain the same, even if P were not known to be an optimistic plan. 

We assume that the reader has some knowledge of basic concepts of computational complexity theory; 
see [54, 7] for a background and further sources. In particular, we assume familiarity with the well-known 
complexity classes P, NP, co-NP, and PSPACE. The classes E p (resp., n p ), k > 0 of the Polynomial 
Hierarchy PH = Ufc>o ^k are defined by E p = n p = P and E p = NP^- 1 (resp., n p = co-E p ), for 
k > 1. The latter model nondeterministic polynomial-time computation with an oracle for problems in 
X p _ r Furthermore, D p = {L n L' \ L £ NP, L' € co-NP} is the logical “conjunction” of NP and co-NP, 
and NEXPTIME is the class of problems decidable by nondeterministic Turing machines in exponential 
time. We recall that NP C D p C PH C PSPACE=NPSPACE C NEXPTIME holds, where NPSPACE is 
the nondeterministic analog of PSPACE. It is generally believed that these inclusions are strict, and that PH 
is a true hierarchy of problems with increasing difficulty. Note that NEXPTIME-complete problems are 
provably intractable, i.e., exponential lower bounds can be proved, while no such proofs for problems in PH 
or PSPACE are known today. 

4.2 Overview of Results 

We will consider the three problems from above under the following two restrictions: 

1. General vs. proper planning domains Because of their underlying stable semantics, which is well- 
known intractable [46], causation rules in domain descriptions can express computationally intractable 
relationships between fluents. In fact, determining whether for a state s and a set of executable ac¬ 
tions A in s some legal transition (s, A, s') to any successor state s' exists in a planning domain PD 
is intractable in general, since it comprises checking whether a logic program has an answer set. For 
this reason, we pay special attention to the following subclass of planning domains. 

Definition 4.1 We call a planning domain PD proper if, given any state s and any set of actions 
A, deciding whether some legal state transition (s, A, s') exists is polynomial. A planning problem 
(PD, q) is proper, if PD is proper. 

Proper planning domains are not plagued with intractability of deciding whether doing some actions 
will violate the dynamic domain axioms, even if they possibly have nondeterministic effects. In fact, 
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we expect that in many scenarios, the domain is represented in a way such that if a set of actions 
qualifies for execution in a state, then performing these actions is guaranteed to reach a successor 
state. In such cases, the planning domain is trivially proper. This applies, for example, to the standard 
STRIPS formalism [20] and many of its variants. 

Unfortunately, deciding whether a given planning domain is proper is intractable in general; we thus 
need syntactic restrictions for taking advantage of this (semantic) property in practice. For obtain¬ 
ing significant lower complexity bounds, we consider in our analysis a very simple class of proper 
planning domains. 

Definition 4.2 We call a planning domain PD = (II, AD) plain, if the background knowledge II is 
empty, and AD satisfies the following conditions: 

1. Executability conditions refer only to fluents. 

2. No default negation -neither explicit nor implicit through language extensions (such as inertia 
rules)- is used in the post-part of causation rules in the “always” section. 

3. Given that a\, ... ,a m are all ground actions, AD contains the rules 

nonexecutable ol{ if ay. 1 < i < j < m 

caused false after not ai, not 012 , ■ ■ ■ , not a m . 

We call a planning problem V = (PD, q) plain, if PD is plain. 

The conditions ensure that every legal state transition t = (s, A, s') must satisfy /I = 1. Thus all 
optimistic and secure plans must be sequential. 

As easily seen, in plain planning domains (which can be efficiently recognized), deciding whether for 
a state s and an action set A some legal state transition t = (s, A, s') exists is polynomial, since this 
reduces to evaluating a not -free logic program with constraints. Thus, plain planning domains are 
proper. Furthermore, each legal state transition t in a plain planning domain PD is clearly determined, 
and thus PD is also deterministic. As discussed below, for many problems plain planning domains 
harbor already the full complexity of proper planning domains. 

We remark that further, more expressive syntactic fragments of proper planning domains can be ob¬ 
tained by exploiting known results on logic programs which are guaranteed to have answer sets, such 
as stratified logic programs, or order-consistent and odd-cycle free logic programs [17, 10]; the latter 
allow for expressing nondeterministic action effects. In particular, these results may be applied on the 
rules obtained from the dynamic causation rules by stripping off their pre- parts. We do not investigate 
this issue further here; stratified planning domains are addressed in [57]. 

2. Fixed vs. arbitrary plan length We analyze the impact of fixing the length i in the query q = Goal ? ( i ) 
of (PD, q) to a constant. In general, the length of an optimistic plan for (PD, q) can be exponential 
in the size of the string representing the number i (which, as usual, is represented in binary notation), 
and even exponential in the size of the string representing the whole input (PD, q). Indeed, it may be 
necessary to pass through an exponential number of different states until a state satisfying the goal is 
reached. For example, the initial state so may describe the value (0,... ,0) of an n-bit counter, and 
the goal description might state that the counter has value (1,... ,1). Assuming an action repertoire 
which allows, in each state, to increment the value of the counter by 1, the shortest optimistic plan 
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plan length i in query q = Goal ? (i) 

planning domain PD 

fixed (=constant) 

arbitrary 

general 

NP/ n l /Eg 3 -complete 

PSPACE/ Ilf 3 /NEXPTIME-complete 

proper 

NP/co-NP/X p -complete 

PSPACE/co-NP/NEXPTIME -complete 


Table 1: Complexity Results for Optimistic Planning / Security Checking / Secure Planning (Propositional 
Case) 


for this problems has 2 n — 1 steps. (We leave the formalization of this problem in /C as an illustrative 
exercise to the reader.) This shows that storing a complete optimistic plan in working memory requires 
exponential space in general. If i is fixed, however, then the representation size of the plan is linear in 
the size of (PD, q). 


Main complexity results Our main results on the complexity of K. are compactly summarized in Table 1, 
and can be explained as follows. 

• As for Optimistic Planning, we can avoid exponential space for storing an optimistic plan P = 
(A \,... , A n ) by generating it step by step : we guess a legal initial state sq, and subsequently, one 
by one, the legal transitions (sj_i, A,, s t ). Since storing one legal transition requires only polynomial 
workspace and NPSPACE=PSPACE, Optimistic Planning is in PSPACE. On the other hand, propo¬ 
sitional STRIPS, which is PSPACE-complete [3], can be easily reduced to planning in 1C, where the 
resulting planning problem is plain and thus proper. For fixed plan length, the whole optimistic plan 
has linear size, and thus can be guessed and verified in polynomial time. 

• In Security Checking, the optimistic plan P = (Ao,... , A n ) to be checked is part of the input, so the 
binary representation of the plan length is not an issue here. If P is not secure, there must be a legal 
initial state .sq and a trajectory executing the actions in Ao,... , A, such that either the execution is 
stuck, i.e., no successor state s, exists or the actions in A, are not executable in s t , or the goal is not 
fulfilled in the final state s n . Such a trajectory can be guessed and verified in polynomial time with 
the help of an NP oracle; this places the problem in II^. The NP oracle is needed to cover the case 
where no successor state Sj exists, which reduces to checking whether a logic program has no answer 
set. In proper planning domains, existence of can be decided in polynomial time, which makes the 
use of an NP oracle obsolete and lowers the overall complexity from 1 [!, = co-NP np to co-NP. 

• In Secure Planning, the existence of a secure plan can be decided by composing algorithms for con¬ 
structing optimistic plans and for security checking. Our membership proofs for deciding the exis¬ 
tence of an optimistic plan actually (nondeterministically) construct such a plan, and thus we easily 
obtain upper bounds on the complexity of Secure Planning from the complexity of the combined al¬ 
gorithm, by using the security check as an oracle. In the case of arbitrary plan length, the use of a rtf’ 
oracle can be eliminated by a more clever procedure, in which plan security is checked by inspecting 
all states reachable after 0,1, 2,... steps of the plan. Even if their number may be exponential, this 
does not lead to a further complexity blow up. Thus, Secure Planning is in NEXPTIME. On the other 
hand, even in plain planning domains, an exponential number of (exponentially long) candidate secure 
plans may exist, and the best we can do seems to be guessing a suitable one and verifying it. 
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Effect of parallel actions The results in Table 1 address the case where parallel actions in plans are 
allowed. However, excluding parallel actions and considering only sequential plans does not change the 
picture drastically. In all cases, the complexity stays the same except for secure planning under fixed plan 
length, where Secure Planning is I [.^-complete in general and D p -complete in proper planning domains 
(Theorem 5.7). Intuitively, this is explained by the fact that for a plan length fixed to a constant, the number 
of potential candidate plans is polynomially bounded in the input size of V, and thus the guess of a proper 
secure candidate can be replaced by an exhaustive search, where it remains to check as a side issue the 
consistency of the domain (i.e., existence of some legal initial state), which is NP-complete in general (also 
for plain domains); see Theorem 5.7 below. 


Effect of nondeterministic actions Our results also imply some conclusions on nondeterministic vs. de¬ 
terministic planning domains. Interestingly, in proper planning domains, nondeterminism has no impact 
on the complexity for all problems considered, and we can conclude the same for Optimistic Planning as 
well as Secure Planning under arbitrary plan length. Furthermore, for proper planning problems even the 
combined restrictions of sequential plans and deterministic action outcomes do not decrease the complexity 
except for Secure Planning with fixed plan length, since the hardness results are obtained for plain planning 
problems, which guarantee these restrictions. 


Implications for implementation The complexity results have important consequences for the imple¬ 
mentation of 1C on top of existing computational logic systems, such as Blackbox [37], CCALC [47], smod- 
els [33], DLV, satisfiability checkers, e.g. [53, 41, 2, 74], or Quantified Boolean Formula (QBF) solvers 
[4, 61, 18]. Optimistic Planning under arbitrary plan length is not polynomially reducible to systems 
with capability of solving problems within the Polynomial Hierarchy, e.g. Blackbox, satisfiability check¬ 
ers, CCALC, smodels, or DLV, while it is feasible using QBF solvers. On the other hand, for fixed (and 
similarly, for polynomially bounded) plan length, Optimistic Planning can be polynomially expressed in all 
these systems. On the other hand, even in the case of fixed plan length and proper planning domains, Secure 
Planning is beyond the capability of systems having “only” NP expressiveness such as Blackbox, CCALC, 
smodels, or satisfiability checkers, while it can be encoded in DLV (which has expressiveness) and QBF 
solvers. Even in the more restrictive plain planning domains, where Secure Planning is iP'-complete, the 
systems mentioned can not polynomially express Secure Planning in a single encoding. On the other hand, 
if we abandon properness, then also DLV is incapable of encoding Secure Planning (whose complexity in¬ 
creases to X^-completeness). Nonetheless, Secure Planning is feasible in DLV using a two step approach as 
in [25], where optimistic plans are generated as secure candidate plans and then checked for security; this 
check is polynomially expressible in DLV. 

Secure planning under arbitrary plan length is provably intractable, even in plain domains. Since NEXP- 
TIME strictly contains PSPACE, there is no polynomial time transformation to QBF solvers or other popular 
computational logic systems with expressiveness limited to PSPACE, such as traditional STRIPS planning. 

Here, further restrictions are needed to lower complexity to PSPACE, such as a polynomial bound on 
the plan length in the input query. We leave this for further investigation. 


5 Derivation of Results 


In this section, we show how the results discussed in the previous section are derived. 
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In the proofs of the lower bounds, the constructed planning problems V = ((H, (D, R)), q) will always 
have empty background knowledge II. Furthermore, the action and fluent declarations Fd and Ad, respec¬ 
tively, will be as needed for the /Apart, and are not explicitly mentioned. That is, we shall only explicitly 
address R and q, while II = 0 and D are implicitly understood. 

The following lemma on checking initial states and legal state transitions is straightforward from well- 
known complexity results for logic programming (cf. [7]). 

Lemma 5.1 Given a state sq (resp., a state transition t = {s , A, s')) and a propositional planning domain 
PD = (II, (I). R)), checking whether s is a legal initial state (resp., t is a legal state transition) is possible 
in polynomial time. 

Proof, [of Lemma 5.1] The unique answer set M of the stratified normal logic program II can be computed 
in polynomial time (cf. [7]). Given M, the set of legal fluent and action instances Cpd is easily computable 
in polynomial time, as well as the reduction PD t . Checking whether sq is a legal initial state for PD 1 
amounts to checking whether so is the least fix-point of a set of positive propositional rules, which is well- 
known polynomial. Overall, this means that checking whether so is a legal initial state of PD is polynomial. 
From M, t, and PD t , it can be easily checked in polynomial time whether A is executable w.r.t. s and, 
furthermore, whether s' is the minimal consistent set that satisfies all causation rules w.r.t. s U A U M by 
computing the least fixpoint of a set of positive rules and verifying constraints on it. Thus, checking whether 
t is a legal state transition is polynomial in the propositional case. □ 


Corollary 5.2 Given a sequence of state transitions T = (t\,... , t n ), where ti = (si- 1 , A u s,) for i = 
1,... , n, and a propositional planning domain PD = (II, (D, R)), checking whether T is legal with respect 
to PD is possible in polynomial time. 

5.1 Optimistic Planning 

From the preparatory results, we thus obtain the following result on Optimistic Planning. 

Theorem 5.3 Deciding whether for a given propositional planning problem V = ( PI). q) an optimistic 
plan exists is (a) NP -complete, if the plan length in q is fixed, and (b) PSPACE -complete in general. The 
hardness parts hold even for plain V. 

Proof, (a). The problem is in NP, since a trajectory T = (t\, . . . ,tf) where t 3 = (sj-i, Aj, Sj) for 
j = 1,... ,i, such that s* satisfies the goal G in q = G ?(i) can be guessed and, by Corollary 5.2, verified 
in polynomial time if i is fixed. 

NP-hardness for plain V is shown by a reduction from the satisfiability problem (SAT). Let f = C\ A 
• • • A Ck be a CNF, i.e., a conjunction of clauses C{ = L t \ V • • • V L^ mi where the L t j are classical literals 
over propositional atoms X = {x],... , x n }. We declare these atoms and a further atom 'O’ as fluents 
in D , and put into the “initially” section Ip of the planning domain PD = (0, (I). R )) the following 
constraints: 

total Xj. for all x 3 e X 

forbidden —i,... , — Lj mi . 1 < i < k 
caused 0. 


INFSYS RR 1843-01-11 


29 


Here, the first constraint effects the choice of a value for each fluent Xj. Clearly, PD has a legal initial state 
iff (j) is satisfiable. Thus, an optimistic plan P exists for V = (PD, 0 ? (0)) iff 7 is satisfiable. As V can 
easily be constructed from < j>, the result follows. 

(b). A proof of membership in PSPACE follows from the discussion in Section 4.2 (note Lemma 5.1). 
We remark that the problem can be solved by a deterministic algorithm in polynomial workspace as follows. 
Similar as in [3], design a deterministic algorithm REACH (s, s', £) which decides, given states s and s' and 
an integer £, whether a sequence t\, ... ,t( of legal transitions t t = (sj_i, A*, Si) exists, where s = sq and 
s' = S£, by cycling trough all states s" and recursively solving REACH(s, s", \£\) and REACH)*", s', \_£\ + 
1). Then, the existence of an optimistic plan of length £ can be decided cyclic through all pairs of states s, s' 
and testing whether s is a legal initial state, s" satisfies the goal in given in q, and REACH)*, s', £) returns 
true. Since the recursion depth is O(log^), and each level of the recursion needs only polynomial space, 
Lemma 5.1 implies that this algorithm runs in polynomial space. 

For the PSPACE-hardness part, we describe how propositional STRIPS planning as in [3] can be reduced 
to planning in 1C, where the planning domain PD is plain. 

Recall that in propositional STRIPS, a state description s is a consistent set of propositional literals, and 
an operator op has a precondition pc(op), an add-list add(op), and a delete-list del (op), which all are lists 
of propositional literals. The operator op can be applied in s if pc(op) C s holds, and its execution yields 
the state op(s) = (s \ del (op)) U add(op) (where s' must be consistent). Otherwise, the application of op on 
s is undefined. A goal 7 , which is a set of literals, can be reached from a state s, if there exists a sequence 
of operators op\,... , opt, where £ > 0 , such that *, = op,(s t - 1 ), for i = 1,... ,£, where *0 = A and 

7 C s£ holds. Any such sequence is called a STRIPS-plan (of length £) for s, 7 . Given s, 7 , a collection of 

STRIPS operators op\,... , op n , and an integer £ > 0, the problem of deciding whether some STRIPS-plan 
of length at most £ exists is PSPACE-complete [3]. As easily seen, this remains true if we ask for a plan of 
length exactly £ (just introduce a dummy operation with empty precondition and no effects). 

Each STRIPS operator opi is easily modeled as action in language 1C using the following statements in 
the “always” section, i.e., the Cr part of R: 

executable opi if pc(opi). 

caused L after opi. for each L E add(opi) \ del(opi) 

caused L after opi, L. for each L ^ add(opi) U del(opi) 

The last rule is an inertia rule for the literals not affected by op. 

The initial state s of a STRIPS planning problem can be easily represented using the following con¬ 
straints in the “initially” section, i.e., the Ir part of R: 

caused L. for all L E s 

Finally, Cr contains the mandatory rules for unique action execution in a plain planning domain: 

nonexecutable opi if opj. 1 < i < j < n 

caused false after not opi, not op 2 , ■ ■ ■ , not op n . 

It is easy to see that for the planning problem V = (PD, q) where PD = (0, AD) and q = 7 ? (4 
some optimistic plan exists iff a STRIPS-plan of length £ for s, 7 exists. Since V is constructible from the 
STRIPS instance in polynomial time, this proves the PSPACE-hardness part. □ 
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5.2 Secure Planning 

Secure Planning appears to be harder; already recognizing a secure plan is difficult. 

Theorem 5.4 Given a propositional planning problem V = (PD, q) and an optimistic plan P for V, decid¬ 
ing whether P is secure is (a) I [f -complete in general and (b) co-NP -complete, ifV is proper 2 Hardness 
in (a) and (b) holds even for fixed plan length in q and sequential P, and ifV in (b) is moreover plain. 

Proof. The plan P = (A\,... , A,) for V is not secure, if a trajectory T = (t\.... , tg), where tj = 
(sj-i,Aj, Sj), for 7 = 1,... ,£ exists, such that either (i) £ = i and s, does not satisfy the goal in q, or (ii) 
t < i and for no state s, the tuple (sg, Ag + \, s) is a legal transition. A trajectory T of any length l can, by 
Corollary 5.2, be guessed and verified in polynomial time. Condition (i) can be easily checked. Condition 
(ii) can be checked by a call to an NP oracle in polynomial time. It follows that checking security is in 
co-NP np = Wf in general. If V is proper, condition (ii) can be checked in polynomial time, and thus the 
problem is in co-NP. This shows the membership parts. 

II P -hardness in case (a) is shown by a reduction from deciding whether a QBF 4> = "dX3Y is true, 
where X, Y are disjoint sets of variables and fi = C\ A ... A Ck is a CNF over X U Y. It is well-known that 
this problem is H^-complcte, cf. [54]. Without loss of generality, we assume that (p is satisfied if all atoms 
in A U Y are set to true. 

We declare the atoms in X U Y and further atoms 0 and 1 as fluents in D. The “initially” section Ir 
for AD = ( D,R) has the following constraints: 

total Xj. for all Xj G X 

caused 0. 

The “always” section Cr of R contains the following rules. Suppose that , ... L r ni are all literals over 
atoms from X which occur in C ,, and similarly that K t \, ... K i rni are all literals over atoms from Y that 
occur in Cj. 

total yj after 0. for all yj G X 

forbidden —K^ i,... , —K ijmi after 0, —L it i,... , —L itni . 1 <i <k 

caused 1 after 0. 

These rules generate 2 ' Y legal initial states s q, ... , Sq A| w.r.t. (0, AD), which correspond 1-1 to the 
truth assignments to the atoms in X. Each such s q contains precisely one of Xj and —xj, for all Xj G X, 
and the atom 0. The totalization rule for y } effects that each legal state s i following the initial state contains 
exactly one of yj and —yj. That is, si must encode a truth assignment for Y. The forbidden statements 
check that the assignment to X U Y, given jointly by s g and si, satisfies all clauses of d. Furthermore, 1 
must be contained in si by the last rule. 

Let us introduce an action a, which is always executable. Then, the assumption on <f> implies that 
P = ((so, Ai, si)), where so = X U {0}, A\ = {a}, and si = X U Y U {1}, is a trajectory w.r.t. 
PD = (0, AD), and thus P = (Ai) is an optimistic plan for the planning problem V = (PD. q) where 
q = 1 ? (1). It is not hard to see that P is secure iff <I> is true. Since (PD, q) is easily constructed from 4\ 
this proves the hardness part of (a). The hardness part of (b) is established by a variant of the reduction; we 
disregard Y (i.e., Y = 0), and modify the rules as follows: false (after macro expansion) is replaced by 

2 We are grateful to Hudson Turner for pointing out that in a draft of [11], a co-NP-upper bound as reported there obtains only 
if deciding executability of an action (leading to a new legal state) is in P, and that the complexity in the general case may be one 
level higher up in PH. In fact, we were mainly interested in such domains, which are covered by our notion of proper domains. 
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1, and the rule with effect 1 is dropped. Note that the resulting planning domain is plain. Then, the plan 
P = (Ai) is secure iff is true, i.e., the CNF f is unsatisfiable, which is co-NP-hard to check. □ 

For Secure Planning, we obtain the following result. 

Theorem 5.5 Deciding whether a given propositional planning problem V = (PD, q) has a secure plan is 
(a) Eg" -complete, if the plan length in q is fixed, (b) E^ -complete, if the plan length in q is fixed and V is 
proper. Hardness in (b) holds even for deterministic and plain PD. 

Proof, a) and b). A trajectory T = ((so, A 1 , si),... , Aj, Si )) of fixed length i that induces an 
optimistic plan P = (A \,... , Af can be guessed and verified in polynomial time (Corollary 5.2), and by 
Theorem 5.4, checking whether P is secure is possible with a call to an oracle for H 2 in case (a) and for 

co-NP in case (b). Flence, it follows that the problem is in Eg 3 in case (a) and in Y. 1 ,’ in case (b). 

For the hardness part of (a), we transform deciding the validity of a QBF P = 3Z\/X3Ycj), where 
X , Y, Z are disjoint sets of variables and = C\ ... is a CNF over X U Y U Z, which is Eg 3 -complete 
[54], into this problem. The transformation extends the reduction in the proof of Theorem 5.4. 

We introduce, for each atom Zi G Z, an action set^ in D. The “initially” section, i.e., the Jr part 
of R contains the following constraints: 

total Xj. for all Xj G X 
caused 0. 

Cr contains the following rules. Suppose that Lip, ... are all literals over atoms from X that occur 
in Ci, and similarly that K,\, ... K irni are all literals over atoms from Y U Z that occur in Cj. 

caused Z{ after 0, set 2i . for all Zi G Z 

caused — Zi after 0, not set 2i . for all Zi G Z 

caused 1 after 0. 

total ijj after 0. for all y.j G Y 

forbidden—FQ,!,... after 0, -L^i,... , -L ijTH . l<i<k 

Given these action descriptions, there are 2^ Xl many legal initial states Sq, ... , Sg A| for the emerging 
planning domain PD = (0, AD), which correspond 1-1 to the possible truth assignments to the variables in 
X and contain 0. Executing in these states s q some actions A means assigning a subset of Z the value true. 
Every state s\ reached from .s ( j by a legal transition must, for each atom a G Z U Y, either contain cc or —a, 
where for the atoms in Z this choice is determined by A. Furthermore, s) must contain the atom 1. 

It is not hard to see that an optimistic plan of form P = (Ai) (where A\ C {set, ;: | Zi G Z}) for the 
goal 1 exists w.r.t. PD = (0, AD) iff there is an assignment to all variables in X U Y U Z such that the 
formula cj) is satisfied. Furthermore, P is secure iff A\ represents an assignment to the variables in Z such 
that, regardless of which assignment to the variables in X is chosen (which corresponds to the legal initial 
states Sg), there is some assignment to the variables in Y (i.e., there is at least some state s\ reachable from 
Sg, by doing A\), such that all clauses of 0 are satisfied; any such sj contains 1. In other words, P is secure 
iff <I> is true. 

Since PD is constructive from P in polynomial time, it follows that deciding whether a secure plan 
exists for V = (PD, q), where q = 1 ? (1), is E^-hard. This proves part (a). 

For the hardness part of (b), we modify the construction for part (a) by assuming that Y = 0, and 

• replace false in rule heads (after macro expansion) by 1; 
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• remove the rule for 1 and the total-rules for yj). 

The resulting planning domain PD' is proper: since no causation rule in Cr contains default negation, 
for each transition t = {s, A, s i), the reduct PD' 1 coincides with pj) ,ls ’ A - \ and thus existence of a a legal 
transition {s, A, s i) can be determined in polynomial time. Furthermore, (s, A, sQ is determined, and thus 
PD' is also deterministic. We have again ‘2} x initial states Sq, which correspond to the truth assignments to 
X. An optimistic plan for the goal 1 of the form P = (.4]), where A\ C {set 2i [ z% G Z}, corresponds 
to an assignment to Z L) X such that o evaluates to false. The plan P is secure iff every assignment to X, 
extended by the assignment to Z encoded by A\ , makes f false. 

It follows that a secure plan for V = {PD', q ), where q = 1 ? (1), exists iff the QBF 3ZMX-up is true. 
Evaluating a QBF of this form is Ef-hard (recall that f is in CNF). Since V is constructible in polynomial 
time, this proves X^-hardness for part (b). □ 

Next, we consider Secure Planning under arbitrary plan length. 

As mentioned above, we can build a secure plan step by step only if we know all states that are reachable 
after the steps A\,... , A, so far when the next step A, + \ is generated. Either we store these states explicitly, 
which needs exponential space in general, or we store the steps A\, ... , A* (from which these states can 
be recovered) which also needs exponential space in the representation size of {PD, q). In any case, such a 
nondeterministic algorithm for generating a secure plan needs exponential time. The next result shows that 
NEXPTIME actually captures the complexity of deciding the existence of a secure plan. 

Theorem 5.6 Deciding whether a given propositional planning problem V = {PD, q) has a secure plan is 
N EX PTIM E-complete. Hardness holds even for plain (and thus deterministic) V. 

Proof. As for the membership part, the size of a string representing a secure plan P = {A\,... , A,) of 
length i for the query q = Goal ? (i) is at most 0(i ■ \PD\), which is single exponential in the sizes PD 
and log i of the strings for PD and i, respectively. Hence, this string has size single exponential in the size 
of V. We can thus guess and verify a secure plan P for V in (single) exponential time as follows: 

1. Compute the set So of all legal initial states. If So = 0, then P is not secure (in fact, no secure plan 
exists). 

2. Otherwise, for each j = 1,... . i, compute for each s G <Sj_i the set Sj{s) = {s' | {s, Aj, s') is a 
legal transition}, and halt if some Sj(s) is empty; otherwise, set Sj = UseSj-i 

3. Finally, check whether the goal is satisfied in every s G and accept iff this is true. 

The computation of <So, as well as of each Sj{s ), can be done in single exponential time, by considering 
all possible knowledge states s' that might occur in a legal transition (s, Aj, s'). The number of different 
Sj(s) is exponentially bounded in the size of V: thus, overall an exponential number of steps suffices to 
check whether the plan P is secure. 

The NEXPTIME-hardness part is shown by a generic Turing machine (TM) encoding. That is, given a 
nondeterministic TM M which accepts a language £» in exponential time and an input word w, we show 
how to construct a plain planning problem V = {PD, q) in polynomial time which has a secure plan iff M 
accepts w. Roughly, the states in the set So of legal initial states encode the tape cells of M and their initial 
contents; the actions in a secure plan represent the moves of the machine, which change the cell contents, 
and lead to acceptance of w. While the idea is clear, the technical realization bears some subtleties. 
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k 

The reduction is as follows. Without loss of generality, M halts on w in less than 2 n many steps, where 
n = \w\ is the length of the input and k > 0 is some fixed integer (independent of n), and M has a unique 
accepting state. We modify M such that it loops in this state once it is reached. The cells Co, C\ ... , Cat, 
where N = 2 n — 1, of the work tape of M (only those are relevant) are represented in different legal states 
of the planning domain. Initially, the cells Co,... , C\ w \_^ contain the symbols wq, w\ ... , w\ w \^ of the 
input word w, and all other cells Ci„,i, ... , Cat are blank. 

The computation of M on w is modeled by a secure plan P = ... , An), in which each Aj contains 

a single action a T . which models the transition of M from the current configuration of the machine to the 
next one. A configuration of M, given by the contents of the work tape, the position of the read-write (rw) 
head, and the current state of the machine, is described by legal knowledge states Sj, 0 < z < N, such that 
Si contains the symbol a currently stored in C, . the current position h of the rw-head, and the current state 
q of M; all this information is encoded using fluents. 

The information to which cell Cj a legal knowledge state corresponds is given by literals ±i \,... , ±i n k, 
which represent the integer z £ [0, A r ] in binary encoding, where i 3 (resp., —i } ) means that the j-tli bit of 
% is 1 (resp., 0). The position of the rw-head, h £ [0, AT], is represented similarly using further literals 
±/ii,... , ±h n k. Each symbol a in the tape alphabet E of M is represented by a fluent p a . Similarly, each 
state q in the set Q of states of M is represented by a fluent p q , in each legal knowledge state, exactly one 

k 

p a and one p q is contained. There are 2 n legal initial knowledge states, which uniquely describe the initial 
configuration of M, in which the rw-head of M is placed over Co, M is in its initial state (say, q \), and the 
work tape contains the input w. 

The legal initial knowledge states s are generated using constraints which “guess” a value for each bit of 
z, initialize the contents of Cj with the right symbol p a , include —hj for all j = 1,... , n k (i.e., set h = 0), 
and include q\. More precisely, the “initially” section, i.e. Ir of R in AD = (D, R ) is as follows: 


total ij. 
caused —hj. 

caused p WQ if -zi, -z 2 , • • • , -i n k. 
caused p wi if zi, -z 2 ,... , —i n k. 


for all j = 1,... , n k 

for all j = 1,... , n k % set h = 0 

% work tape position 0 

% work tape position 1 


caused p w ^ 3 _ 1 if “code of |zn| — 1”. % work tape position |zn| — 1 

caused p u if not p ai ,... ,not . % rest of tape is blank 

caused gi. % initial state is q\ 

Here, the tape alphabet E is assumed to be E = {U, a\, <r 2 , ... , rr m }, where U is the blank symbol. 
The transition function of M is given by tuples r = (a, q. a', d. q'), which reads as follows: if M is in 
state q and reads the symbol a at the current rw-head position h (i.e., Ch contains a), then M writes a' at 
the position h (i.e., into Ch), moves the rw-head to position h + d, where d = ±1, and changes to state q 1 . 
(Without loss of generality, we omit here modeling that the rw-head might remain in the same position.) 

Such a possible transition r is modeled using rules which describe how to change a current knowledge 
state s, which corresponds to the tape cell Cj, to reflect Cj in the new configuration of M. Informally, its 
constituents are manipulated as follows. 

work tape contents For the case that h = i, i.e., the rw-head is at position z, a rule includes p a into the 
state. Otherwise, i.e., the rw-head is not at h, an inertia rule includes p a , where a is the old contents 
of Cj, to the new knowledge state. 
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rw-head position The change of the rw-head position by ±1, is incorporated by replacing h with h ± 1. 
This is possible using a few rules, which simply realize an increment resp. decrement of the counter 
h. We assume at this point that M is well-behaved, i.e., does not move left of Cq. 

state A rule includes p q t for the resulting state q' of M into the new knowledge state. 

To implement this, we introduce for each possible transition r = (a,q,a',d,q') of M an action a T , 
whose executability is stated in Cr as follows: 

executable a T if p q , p a , h = i. 
executable a T if not h = i. 

Here h = i is a fluent atom, which indicates whether the rw-head position h is the index i of the cell Ci 
represented by the knowledge state. 

Furthermore, several groups of rules are put in the “always” section, i.e. Cr of R. The first group 
serves for determining the value of h = i, using auxiliary fluents , e n k\ 

caused e q if hj, ij. for all j = 1,... , n k 

caused ej if —hj, —ij. for all j = 1,... , n k 

caused h = i if e\,... , e k . 

The execution of a T effects a change in the state and the contents of C t : 
caused Po-/ after a T , h = i. 

caused p a after a T , p a , not h = i. for all a £ £ 
caused after a T . 

Depending on the value of d, different rules are added for realizing the move of the rw-head. Recall that, 
given the binary representation x()l 1 • • • 1 of an integer z, the binary representation of r +1 is .:/;100 • • • 0. 
The rules for d = 1 are as follows. 

caused h\ after a T , —h\. 
caused h -2 after a T , —h 2 , h\. 
caused —h\ after a T , — / 12 , h\. 

caused h n k af ter a T , —h n k , h n k_i,... ,h\. 
caused —h n k_i after a T , —h n k , h n k_i,... ,h\. 

caused —h\ after a T , —h n k, h n k_ 1 ,... ,h\ 
caused hi after a T , h(, —hj. 
caused —he after a T , —hi, —hj. 

The last two rules serve for carrying the leading bits of i, which are not affected by the increment, over to the 
new knowledge state. (This could also be realized in a simpler way using inertial statements; however, 
recall that such rules are not allowed in plain domains.) 

The rules for d = — 1 are similar, with the roles of 0 and 1 interchanged: 


where 1 < j < i < n k 
where 1 < j < t < n k 
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caused —h\ after a T , h\. 
caused —/12 after a T , h, 2 , —h±. 
caused h\ after a T , h 2 , —h\. 

caused —h n k after a T , h n k, —h n k_ 1 ,... ,—h\. 
caused h n k_i after a T , h n k, —h n k_i,... ,—h\. 

caused h\ after a T , h n k, —h n k_i,... ,—h\. 

caused hi after a T , hi, hj. where 1 < j < £ < n k 

caused —hi after a Tl —hi, hj. where 1 < j < £ < n k 

Further rules are added to Cr for canying the cell index i over to the next knowledge state: 

caused ij after ij. for all j = 1,... , n k 

caused — ij after —ij. for all j = 1 ,... , n k 

Finally, the mandatory rules of a plain planning domain enforcing the execution of one and only one 
action in each transition are added to Cr. 

As easily checked, all rules that we have introduced satisfy the syntactic restrictions for plain planning 
domains. 

Suppose now that q m € Q is the unique accepting state of M. Then, a secure plan P = (A\,... , Ai) of 
length i reaching the goal q m corresponds to the fact that M will, starting from the initial configuration, be 
in an accepting configuration after executing the transitions n,... ,ti, where Aj = {a Tj }, for j = 1,... , l. 
By our assumption on M, we know that M can reach some accepting configuration within N steps iff it 
can reach an accepting configuration in exactly N steps. Thus, we have that M accepts the input w iff there 
exists some secure plan of length N for the goal q rn in the planning domain PD = (0, AD) where AD is 
from above. In other words, M accepts w within N steps iff the proper propositional planning problem 
V = (PD, q m ? ( N )) has a secure plan. 

As easily seen, V can be constructed in polynomial time from M and w. This proves NEXPTIME- 
hardness of deciding the existence of a secure plan, even under the restriction to plain planning problems. 

□ 

Secure planning has lower complexity if the plan length is fixed and concurrent actions are not allowed. 

Theorem 5.7 Deciding whether a given propositional planning problem V = (PD, q) has a secure sequen¬ 
tial plan is (a) -complete, if q is fixed, and (b) D p -complete, if q is fixed and V is proper. The hardness 
part of(b) holds even for plain V. 

Proof. If the plan length i in the query q = Goal ? (i) is fixed, the number of candidate sequential secure 
plans, given by (a + 1)*, where a is the number of actions in PD, is bounded by a polynomial. 

A candidate P = (A\,... , A n ) is not a secure plan, if (i) no initial state so exists, or (ii) like in the 
proof of Theorem 5.4, a trajectory T = (t\,... , tf), where tj = (sj-\,Aj, Sj ), for j = 1,... ,t exists, 
such that either (ii.l) l = i and .s,; does not satisfy the goal in q, or (ii.2) t < i and for no state s, the tuple 
(si, Ai + \, s ) is a legal transition. The test for (i) is in co-NP, while the test for (ii) is in A p in general and 
in NP if V is proper (cf. proof of Theorem 5.4). Note that (i) is identical for all candidates. 

Thus, the existence of a sequential secure plan can be decided by the conjunction of a problem in NP 
and a disjunction of polynomially many instances of a problem in in case (a) and in co-NP in case (b); 
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since NP C Ilf and both Ilf and co-NP are closed under polynomial disjunctions and conjunctions of 
instances (i.e., a logical disjunction resp. conjunction of instances can be polynomially transformed into an 
equivalent single instance), it follows that the problem is in Ilf in case (a) and in D p in case (b). 

Ilf-hardness for case (a) follows from the reduction in the proof of Theorem 5.4. There, a secure, 
sequential plan exists for the query 1 ? (1) iff the plan P = ({a}) is the secure. 

D p -hardness for case (b) is shown by a reduction from deciding, given CNFs (j) = /\” =1 L u \ V 3 
and = f\"'=\ Kj , 1 V Kj 2 V Kj t 3 over disjoint sets of atoms X and Y, respectively, whether 0 is satisfiable 
and A is unsatisfiable. 

The “initially” section, i.e., In of R contains the following constraints: 

total Xj. for all Xj G X 

caused L l \ if — —Li, 3 - for allz = 1 ,... ,n 

total ijj. for all yj G Y 

caused / if —FQ 1 , —FQ 2 , — FQ 3 . for allz = 1 ,... ,m 

Obviously, these rules satisfy the conditions for a plain planning domain. Then, for the query q = f ? (0), 
the only candidate for a sequential secure plan is the empty plan P = (). As easily seen, P is a secure plan 
for q iff (f) is satisfiable (which is equivalent to the existence of some legal initial state) and 0 is unsatisfiable 
(which means that / is true in each initial state). This proves the hardness part of (b). □ 

We conclude this section with remarking that the constructions in the proofs of the hardness parts of 
Theorem 5.4, items (a) and (b) of Theorem 5.5, and item (a) of Theorem 5.7 involve planning problems 
that have length fixed to 1. For plan length fixed to 0, these problems have lower complexity (co-NP- 
completeness for the problems in Theorem 5.4 and D p -completeness for the other problems). 

6 Related Work 

There is a huge body of literature on planning (see [72, 73] for surveys). We will only focus on directly 
related research: 

• Action languages and answer set planning 

• Planning under incomplete knowledge 

• Planning Complexity 

6.1 Action Languages and Answer Set Planning 

The language X proposed in this paper builds on earlier work on action languages [24]. The language A, 
proposed in [23] provides a rudimentary set of causal statements, which roughly corresponds to X with 
complete states in which all rules r are of the form ( 2 ) of section 2.1 with post(r) = 0 , all actions are 
executable by default in any state, and all fluents are inertial. The language B described in [24] is very similar 
to A, the difference is that the restriction on rules is relaxed and rules r of the form ( 2 ) with pre(r) = 0 are 
allowed additionally, enabling the formulation of ramifications. 

The language C, proposed in [27] and based on the theory of causal explanation in [48, 42], is the 
action language which is closest to X. In C not all fluents are automatically inertial - just as in X it 
must be explicitly declared if a fluent has the property of being inertial. As in X, this is achieved by 
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a macro inertial F. which is defined in C as caused F if F after F. whereas in /C it is defined as 
caused F if not — F after F. Furthermore, C has like 1C a macro default F. for declaring that a prop¬ 
erty holds by default. In C, it stands for caused F if F, while in 1C, it is defined as caused F if not — F. 
The difference in macro expansion is due to the different semantic definition of transitions and also due to 
the lack of default negation in C. In particular, default F. means in C that F is true without the need of 
further causal support. Finally, C also provides a way to specify nondeterministic action effects. 

None of the abovementioned languages explicitly supports initial state constraints, nor does any support 
explicit executability conditions. Most importantly, their underlying semantics is not based on knowledge 
states, so fluents may not be undefined in any state. As a consequence, totality of fluents cannot be expressed 
in any of the languages A, B, and C, as each fluent is implicitly total, and default negation is not supported. 

In [65, 8] two approaches can be found, in which planning problems are formulated directly using 
answer set programming, without an intermediate representation in an action language. These approaches 
have an obvious representational deficiency, as recurring patterns and concepts are not summarized in a more 
abstract action language. The problems studied in these papers do not contain ramifications, and all fluents 
are assumed to be inertial; explicit executability conditions are considered, though. Furthermore, none of 
these approaches comprises nondeterministic action effects or incomplete initial states. Default negation is 
only used for the implementation of the planning framework and is not allowed for the specification of the 
transition system. 


6.2 Planning Under Incomplete Knowledge 

Planning under incomplete knowledge has been widely investigated in the AI literature. Most works extend 
algorithms/systems for classical planning, rather than using deduction techniques for solving planning tasks 
as proposed in this paper. The systems Buridan [39], UDTPOP [55], Conformant Graphplan [64], CNLP 
[56] and CASSANDRA [58] fall in this class. In particular, Buridan, UDTPOP, and Conformant Graphplan 
can solve secure planning (also called conformant planning) like DLV^. On the other hand, the systems 
CNLP and CASSANDRA deal with conditional planning (where the sequence of actions to be executed 
depends on dynamic conditions). 

More recent works propose the use of automated reasoning techniques for planning under incomplete 
knowledge. In [60] a technique for encoding conditional planning problems in terms of 2-QBF formulas is 
proposed. The work in [21] proposes a technique based on regression for solving secure planning problems 
in the framework of the situation calculus, and presents a Prolog implementation of such a technique. In 
[49], sufficient syntactic conditions ensuring security of every (optimistic) plan are singled out. While 
sharing their logic-based nature, our work presented in this paper differs considerably from such proposals, 
since it is based on a different formalism. 

Work similar to ours has been independently reported in [25]. In that paper, the author presents a 
SAT-based procedure for computing secure plans over planning domains specified in the action language C 
[27, 43, 45]. The main differences between our paper and [25] are (i) the different action languages used for 
specifying planning domains: C vs 1C,; the former is closer to classical logic, while the latter is more “logic 
programming oriented” by the use default negation; (ii) the different computational engines underlying the 
two systems (a SAT Checker vs a DLP system), which imply completely different translation techniques for 
the implementation. 
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6.3 Planning Complexity 

Our results on the complexity of planning in 1C are related to several results in the planning literature. First 
and foremost, planning in STRIPS can be easily emulated in tC planning domains, and thus results for 
STRIPS planning carry over to respective planning problems in 1C, in particular Optimistic Planning, which 
by the results in [3, 14] is PSPACE-complete. 

As for finding secure plans (alias conformant or valid plans), there have been interesting results in the 
recent literature. Turner [69] has analyzed in a recent paper the effect of various assumptions on different 
planning problems, including conformant planning and conditional planning under domain representation 
based on classical propositional logic. In particular. Turner reports that deciding the existence of a classical 
(i.e., optimistic) plan of polynomial length is NP-complete, and NP-hard already for length 1 where actions 
are always executable. Furthermore, he reports that deciding the existence of a conformant (i.e., secure) 
plan of polynomial length is Sf-complete, and Ef-hard already for length 1. Furthermore, the problem is 
reported Ef-complete if, in our terminology, the planning domain is proper, and Ef-hard for length 1 in 
deterministic planning domains. Turner’s results match our complexity results, announced in [11]; this is 
intuitively sound, since answer set semantics and classical logic, which underlies ours and his framework, 
respectively, have the same computational complexity. 

Enrico Giunchiglia [25] considered conformant planning in the action language C, where concurrent 
actions, constraints on the action effects, and nondeterminism on both the initial state and effects of the 
actions are allowed - all these features are provided in our language 1C as well. Furthermore, Giunchiglia 
presented the planning system C-plan, which is based on SAT solvers for computing, in our terminology, 
optimistic and secure plans following a two step approach. For this purpose, transformations of finding 
optimistic plans and security checking into SAT instances and QBFs are provided. The same approach is 
studied in [19] for an extension of STRIPS in which part of the action effects may be nondeterministic. 
While not explicitly analyzed, the structures of the QBFs emerging in [25, 19] reflect our complexity results 
for Optimistic Planning and Security Checking. 

Rintanen [60] considered planning in a STRIPS-style framework. He showed that, in our terminology, 
deciding the existence of a polynomial-length sequential optimistic plan for every totalization of the initial 
state, given that actions are deterministic, is Ilf -complete. Furthermore, Rintanen showed how to extract a 
single such plan P which works for all these totalizations, from an assignment to the variables X witnessing 
the truth of a QBF 3XMY3Z & that is constructed in polynomial time from the planning instance. Thus, 
the associated problem of deciding whether such a plan P exists is in Ef. Note that intuitively, checking 
suitability of a given optimistic plan is in this problem more difficult than Security Checking, since only the 
operability of some trajectory vs all trajectories must be checked for each initial state. However, the prob¬ 
lems have the same complexity (nf-hardness for Rintanen’s problem is obtained by slightly adapting the 
proof of Theorem 5.4), and are thus polynomially intertranslatable. Following Rintanen’s and Giunchiglia’s 
approach, finding secure plans for planning problems in 1C can be mapped to solving QBFs. However, since 
our framework is based on answer set semantics, the respective QBFs will be more involved due to intrinsic 
minimality conditions of the answer set semantics. 

Baral et al. [1] studied the complexity of planning under incomplete information about initial states 
in the language A [23], which is similar to the framework in [60] and gives rise to proper, deterministic 
planning domains. They show that deciding the existence of an, in our terminology, polynomial-length 
secure sequential plan is Ef-complete. Notice that we have considered this problem for plans of fixed 
length, for which this problem is D p -complete and thus simpler. 

From our results on the complexity of planning in the language 1C, similar complexity results may 
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be derived for other declarative planning languages, such as STRIPS-like formalisms as in [60] and the 
language A [23], or the fragment of C restricted to causation of literals (cf. [25]), by adaptations of our 
complexity proofs. The intuitive reason is that in all these formalisms, state transitions are similar' in spirit 
and have similar complexity characteristics. In particular, our results on Secure Planning should be easily 
transferred to these formalisms by adapting our proofs for the appropriate problem setting. 

7 Conclusion 

In this paper, we have presented an approach to knowledge-state planning, based on nonmonotonic logic pro¬ 
gramming. We have introduced the language KL, defined its syntax and semantics, and then shown how this 
language can be used to represent various planning problems from the planning literature, in various settings 
comprising incomplete initial states, nondeterministic actions effects, and parallel executions of actions. In 
particular', we have shown how knowledge-states, rather then world states, can be used in representing plan¬ 
ning problems. We then have thoroughly analyzed the computational complexity of propositional planning 
problems in /C, where we have considered optimistic planning and secure (i.e., conformant) planning. As 
we have seen, under various restrictions these problems range in complexity from the first level of the Poly¬ 
nomial Hierarchy to NEXPTIME. In particular, secure planning under fixed vs variable plan length turned 
out to be Xg’-complete and NEXPTIME-complete, respectively. Finally, we have compared our work to a 
number of related planning approaches and complexity results from the literature. 

As we believe, the language K., and in particular the nonmonotonic negation operator available in it, 
allows for a more convenient and natural representation of certain pieces of knowledge that are part of a 
planning problem than similar languages. In particular, this applies to Giunchiglia and Lifschitz’s important 
language C, which was the starting point for developing our /C language. We have demonstrated that natural 
knowledge-state encodings of particular planning problems, e.g. some versions of the “bomb in the toilet” 
problem, exist, for which the problem of finding optimistic plans coincides with the problem of finding 
secure plans, while for encodings in the literature, which are based on the world state paradigm, this equiva¬ 
lence does not hold — all of the world-state-based encodings require secure planning, which is conceptually 
and computationally harder. We point out that the “bomb in the toilet” problems per se are computationally 
easy, so it seems that encodings based on world states artificially bloat these problems because of their lack 
of allowing a natural statement about fluents being unknown in some state. 

Indeed, we have verified experimentally, using the DLV^ system, that the knowledge-state encodings of 
the “bomb in the toilet” problems reported in this paper run considerably faster than their world-state-based 
counterparts. The DLV^ system, which is described in detail in a companion paper [12], implements the 
language K, on top of the DLV logic programming system [13, 16]. It supports both optimistic and secure 
planning (currently, the latter is supported for restricted classes of planning problems). Extensive experimen¬ 
tal evaluation has shown that the DLV^ system, even if it was built merely as a front end to another system 
and not optimized for performance, had reasonable performance compared to other similar systems, and 
even outperformed various specialized systems for conformant planning under the use of knowledge-state 
problem encodings. This shows that nonmonotonic logic programming has potential for declarative plan¬ 
ning, and that, in our opinion, further exploration of the knowledge-state encoding approach is worthwhile 
to pursue from a computational perspective. 

While we have presented the language 1C and discussed its basic features and advantages, several issues 
are currently investigated or scheduled for future work. As for the implementation, we have already men¬ 
tioned the DLV^ system, which will be improved in a steady effort. An intriguing issue in that is the design 
of efficient algorithms and methods for secure planning, since this problem is rather complex even for short 


40 


INFSYS RR 1843-01-11 


plans (it resides at the third level of the Polynomial Hierarchy). Furthermore, we are currently exploring a 
possible enhancement of the planning formalism to computing optimal plans, i.e., plans whose execution 
cost, measured in accumulated costs of primitive action execution, is smallest over all plans. An implemen¬ 
tation of optimal planning may take advantage of DLV’s optimization features which are available through 
weak constraints. Finally, extensions of the language by further constructs such as sensing operators are part 
of future work. 
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A Appendix: Further Examples of Problem Solving in JC 

This appendix contains encodings of three well-known planning problems, which should further illustrate 
the practical use of language 1C. 


A.l The Yale Shooting Problem 

Another example for dealing with incomplete knowledge is a variation of the famous Yale Shooting Problem 
(see [32]). We assume here that the agent has a gun and does not know whether it is initially loaded. This 
can be modeled as follows: 


fluents: 
actions : 
always : 


initially: 
goal : 


alive, loaded, 
load, shoot. 

executable shoot if loaded, 
executable load if not loaded, 
caused — alive after shoot, 
caused — loaded after shoot, 
caused loaded after load, 
total loaded, 
alive. 

— alive ? (l) 


The total statement leads to two possible legal initial states: si = {loaded, alive} and S 2 = 
{—loaded, alive}. With si shoot is executable, while it is not with S 2 - Executing shoot establishes 
the goal, so the planning problem has the optimistic plan 

({shoot}) 

which is not secure because of S 2 - 


A.2 The Monkey and Banana Problem 

This example is a variation of the Monkey and Banana problem as described in the CCALC manual 
(<URL: http : / /www. cs . utexas . edu/users/mccain / cc/>). It shows that in 1C the applica¬ 
bility of actions can be formulated very intuitively by using the executable statement. The encoding in 
CCALC uses many nonexecutable statements instead. 

In the background knowledge we have three objects: the monkey, the banana and a box. 

object(box). object (monkey), object (banana). 


Furthermore there are three locations: 1, 2 and 3. 
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location(l). location(2). location(3). 

In the beginning, the monkey is at location 1, the box is at location 2, and the banana is hanging from 
the ceiling over location 3. The monkey shall get the banana by moving the box towards it, climbing the 
box, and then grasping the banana hanging from the ceiling. We solve this problem using the following K, 
program: 

fluents: at(0,L) requires object(O), location(L). 
onBox. 
hasBanana. 

actions : walk(L) requires location(L). 

pushBox(L) requires location(L). 

climbBox. 

graspBanana. 

always: caused at(monkey,L) after walk(L). 

caused — at(monkey, L) after walk(Ll), at(monkey, L), L <> LI. 
executable walk(L) if not onBox. 
caused at(monkey,L) after pushBox(L). 
caused at (box,L) after pushBox(L). 

caused — at(monkey, L) after pushBox(Ll), at(monkey, L), L <> LI. 
caused — at(box,L) after pushBox(Ll), at(box,L), L <> LI. 
executable pushBox(L) if at (monkey, LI), at(box,Ll), not onBox. 
caused onBox after climbBox. 

executable climbBox if not onBox, at(monkey, L), at (box, L). 
caused hasBanana after graspBanana. 

executable graspBanana if onBox, at(monkey,L), at(banana, L). 
inertial at(0,L). 
inertial onBox. 
inertial hasBanana. 
initially : at(monkey,l). 

at (box, 2). 
at (banana, 3). 
noConcurrency. 
goal: hasBanana ? (4) 

For this planning problem, the following secure plan exists: 

({walk(2)}, {pushBox(3)}, {climbBox}, {graspBanana}) 

Let us now deal with incomplete knowledge about the location of objects. Similar as in the Blocks 
World example in Section 3.2, we introduce a new fluent: 

objectlsSomewhere(O) requires object(O). 


Furthermore, we add the following constraints and rules in the initial state: 
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forbidden at(Q, L), at(0,Ll), L <> LI. 
forbidden onBox, at(monkey,L), notatBox(L). 
caused objectlsSomewhere(O) if at(0,L). 
forbidden not objectlsSomewhere(O). 

These constraints guarantee a correct initial state. 

A.3 The Rocket Transport Problem 

This example is a variation of a planning problem for rockets introduced in [71]. There are two one-way 
rockets, which can transport cargo objects from one place to another. The objects have to be loaded on the 
rocket and unloaded at the destination. This example shows the capability of /C to deal with concurrent 
actions, as the two rockets can be loaded, can move, and can be unloaded in parallel. 

The background knowledge consists of three places, the two rockets and the objects to transport: 

rocket(sojus). rocket(apollo). 
cargo(food). cargo(tools). cargo(car). 
place(earth). place(mir). place(moon). 

The action description for the rocket planning domain comprises three actions move(R, L), load(C,R) 
and unload(C,R). The fluents are atR(R, L) (where the rocket currently is), atC(C, L) (where the cargo 
object currently is), in(C,R) (describing that an object is inside a rocket) and hasFuel(R) (the rocket has 
fuel and can move). Now let us solve the problem of transporting the car to the moon and food and tools 
to Mir, given that all objects are initially on the earth and both rockets have fuel. We define the following 
planning problem: 


fluents: 


actions : 


always : 


atR(R, P) requires rocket(R), place(P). 

atC(C, P) requires cargo(C), place(P). 

in(C,R) requires rocket(R), cargo(C). 

hasFuel(R) requires rocket(R). 

move(R, P) requires rocket(R), place(P). 

load(C, R) requires rocket(R), cargo(C). 

unload(C,R) requires rocket(R), cargo(C). 

caused atR(R,P) after move(R, P). 

caused — atR(R, P) after move(R, Pi), atR(R, P). 

caused — hasFuel(R) after move(R, P). 

executable move(R, P) if hasFuel(R), not atR(R, P) 

caused in(C,R) after load(C,R). 

caused — atC(C, P) after load(C,R), atC(C,P). 

executable load(C,R) if atC(C, P), atR(R, P). 

caused atC(C,P) after unload(C,R), atR(R, P). 

caused — in(C,R) after unload(C,R). 

executable unload(C, R) if in(C,R). 

nonexecutable move(R, P) if load(C,R). 

nonexecutable move(R, P) if unload(C,R). 

nonexecutable move(R, P) if move(R, Pi), P <> PI. 
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nonexecutable load(C,R) if load(C,Rl), R <> Rl. 
inertial atC(C, L). 
inertial atR(R, L). 
inertial in(C,R). 
inertial hasFuel(R). 
initially: atR(R, earth). 

atC(C, earth). 
hasFuel(R). 

goal : atC(car, moon), atC(food,mir), atC(tools,mir) ? (3) 

The nonexecutable statements exclude simultaneous actions as follows: 

• loading/unloading a rocket and moving it; 

• moving a rocket to two different places; 

• loading an object on two different rockets. 

For the given goal, there are two secure plans, where in the first one rocket so jus flies to the moon and 
apollo flies to Mir, and in the second one the roles are interchanged: 

( {load(f ood, sojus), load(tools, sojus), load(car, apollo)}, 

{move (so jus, mir), move (apollo, moon)}, 

{unload(f ood, sojus), unload(tools, sojus), unload(car, apollo)} ) 

( {load(car, sojus), load(f ood, apollo), load(tools, apollo)}, 

{move (sojus, moon), move (apollo, mir)}, 

{unload(car, sojus), unload(f ood, apollo), unload(tools, apollo)} ) 


